LDAP Failover

Ignacio Coupeau icoupeau at unav.es
Wed Jul 16 15:43:04 GMT 2003

Mike Samba wrote:

> I tried this on the general mailing list and it was suggested to me to
> ask the technical list for help on this...
> I have tried samba3-beta1 and beta2 to authenticate against LDAP.  Both
> versions have worked great until I attempt LDAP failover.  In my config,
> if I try:
> 	ldap server = srv1.domain.com
> It works perfect.  So does:
> 	ldap server = srv2.domain.com
> But when I try:
> 	ldap server = srv1.domain.com srv2.domain.com

I think that if srv1 is alive when you start the samba, all the 
conexions are mapped to this server, so if it fails... the alternative 
servers are ignored.

We solved this issue with an HA cluster or with a switch L3-7: all the 
ldap servers can manage a read, but the writes are redirected (rebind 
procedure) to the master.

For the TLS you need Alternative Names (DND) extensions in the certificates.

> 	tree connect failed: NT_STATUS_ACCESS_DENIED
> I also tried the newer method of:
> 	passdb backend = ldapsam_compat:ldap://srv1.domain.com

at this moment I don't tested a second server because a real solution is 
a HA ldap server.

Ignacio Coupeau, Ph.D.     icoupeau at unav.es
CTI, Director              icoupeau at alumni.unav.es
University of Navarra      icoupeau at ieee.org
Pamplona, SPAIN            http://www.unav.es/cti/

More information about the samba-technical mailing list