[Freeipa-users] LDAP server failover via altServer attribute?

Guillermo Fuentes guillermo.fuentes at modernizingmedicine.com
Sun May 22 18:31:07 UTC 2016 

This is great info Razvan. Thanks for sharing it!
We provision Macs by pushing configuration scripts via Munki.
Can you point me where I can find more documentation about this?
Thanks again,
Guillermo

On Fri, May 20, 2016 at 3:45 PM, "Răzvan Corneliu C.R. VILT" <
razvan.vilt at me.com> wrote:

> Hi guys,
>
> Regarding the Macs, there are a few notes:
>
> 1) The template kerberos setup can be pushed through LDAP
> (cn=KerberosClient and cn=KerberosKDC,cn=config)
> 2) The LDAP replicas can be also configured in cn=config and it is cached
> by OpenDirectory in the following format:
>
> dn: cn=ldapreplicas, cn=config, dc=example, dc=com
> objectClass: apple-configuration
> apple-ldap-replica: ldap://192.168.1.1
> apple-ldap-replica: ldap://192.168.2.2
> apple-ldap-writable-replica: ldap://192.168.1.1
> apple-ldap-writable-replica: ldap://192.168.2.2
> apple-xml-plist: base64 encode of:
> ---------------------
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
> http://www.apple.com/DTDs/PropertyList-1.0.dtd">
> <plist version="1.0">
> <dict>
> <key>GUID</key>
> <string>01234567-89AB-CDEF-0123-456789ABCDEF</string>
> <key>IPaddresses</key><!-- of the master ipa host if there are multiple
> interfaces for it -->
> <array>
> <string>192.168.1.1</string>
>                 <string>10.0.0.1</string>
> </array>
> <key>PrimaryMaster</key>
> <string>ipa-server.example.org</string>
> <key>ReplicaName</key>
> <string>Master</string>
> <key>Replicas</key>
> <array>
>            <string>ipa-bkserver.example.org</string>
>         <array>
>        <!-- use only <array/> if there are no replicas -->
> </dict>
> </plist>
> ----------------------
>
> 3) The main problem with FreeIPA and Mac OS X comes from the SSL part (CRL
> and/or OCSP are enforced). IPA refuses PLAIN authentication on SSL.
>
>
> If you do this manually instead of OpenDirectory compatible way, your
> machine doesn't create an account for itself in IPA so service access
> without login are not available, it doesn't download the root CA
> automatically and you don't get SSO out of the box.
>
>
> On 20 mai 2016, at 22:13, Guillermo Fuentes <
> guillermo.fuentes at modernizingmedicine.com> wrote:
>
> SRV record failover works for Kerberos on the Mac. Setting "dns_lookup_kdc
> = yes" and removing the KDC server ("kdc = xxx") entries from the
> /Library/Preferences/edu.mit.Kerberos config file does the trick.
>
> For LDAP, although you can enable it, I can't see it documented anywhere
> so I'm assuming that isn't the recommended way for the Mac. This can be
> enabled by running this for the LDAP server you're using:
> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
> "Use DNS replicas" "true"
>
> Adding the altServer values with the Directory Manager credentials worked
> and I'm happy to report that the failover on the Mac works great with
> FreeIPA!
>
> As suggested by Rob, for three servers, on server ipa1:
> $ ldapmodify -x -D 'cn=directory manager' -W
> Enter LDAP Password:
> dn:
> changetype: modify
> add: altServer
> altServer: ldap://ipa2.example.com
> -
> add: altServer
> altServer: ldap://ipa3.example.com
>
> modifying entry ""
> ^D
>
> The altServer values didn't replicate so I had to add them to each of the
> FreeIPA servers.
>
> Then, tell the Mac (testing on OS X v10.11.5) to use the altServer
> attribute to look for replicas in case of failover:
> sudo odutil set configuration /LDAPv3/ipa1.example.com module ldap option
> "Use altServer replicas" "true"
>
> And, viola! Highly available authentication with a FreeIPA cluster for the
> Mac!
>
> Thanks so much for your help!
> Guillermo
>
>
> On Fri, May 20, 2016 at 10:38 AM, Rob Crittenden <rcritten at redhat.com>
> wrote:
>
>> Martin Basti wrote:
>>
>>> Hello,
>>>
>>> IPA uses SRV records for failover to another replica/LDAP.
>>>
>>> I don't know how it works on MACs, but in case that there is no
>>> possibility to use SRV, you may need to file a RFE ticket
>>> (https://fedorahosted.org/freeipa/newticket)
>>>
>>
>> Agreed, SRV records are the preferred mechanism. I was curious though so
>> played with this a bit and it is possible to add altServer values:
>>
>> $ ldapmodify -x -D 'cn=directory manager' -W
>> Enter LDAP Password:
>> dn:
>> changetype: modify
>> add: altServer
>> altServer: ldap://gyre.example.com
>>
>> modifying entry ""
>> ^D
>>
>> $ ldapsearch -LLL -x -b "" -s base altServer
>> dn:
>> altServer: ldap://gyre.example.com
>>
>> My test rig is a single master so I don't know if this replicates or not.
>>
>> rob
>>
>>
>>> Martin
>>>
>>>
>>> On 19.05.2016 17:43, Guillermo Fuentes wrote:
>>>
>>>> Hello all,
>>>>
>>>> As OS X allows LDAP server failover via the altServer attribute
>>>> (RFC4512) from RootDSE, it would be great to be able to configure our
>>>> Macs to connect to a single FreeIPA server and add other FreeIPA
>>>> servers as multiple altServer values.
>>>> The current schema doesn't seem to support adding this attribute.
>>>> Can this be done in a way I'm missing?
>>>>
>>>> Thanks in advance!
>>>>
>>>> GUILLERMO FUENTES
>>>> SR. SYSTEMS ADMINISTRATOR
>>>>
>>>> 561-880-2998 x1337
>>>>
>>>> guillermo.fuentes at modmed.com <mailto:guillermo.fuentes at modmed.com>
>>>>
>>>>
>>>> [ Modernizing Medicine ] <http://www.modmed.com/>
>>>> [ Facebook ] <http://www.facebook.com/modernizingmedicine>
>>>>   [
>>>> LinkedIn ] <http://www.linkedin.com/company/modernizing-medicine/>
>>>>           [
>>>> YouTube ] <http://www.youtube.com/user/modernizingmedicine>
>>>>  [
>>>> Twitter ] <https://twitter.com/modmed_EMA>              [ Blog ]
>>>> <http://www.modmed.com/BlogBeyondEMR>           [ Instagram ]
>>>> <http://instagram.com/modernizing_medicine>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160522/7832c64b/attachment.htm>

More information about the Freeipa-users mailing list