[Samba] Questions on Samba and LDAP failover

Michael Adam obnox at samba.org
Fri Mar 26 10:20:07 MDT 2010 

Gary Peck wrote:
> Hi Michael,
> 
> This option seemed to work:
> 
>  passdb backend = ldapsam:"ldap://ldap-1.example.com ldap-2.example.com"
> 
> 
> I swear I had tried that before, but I must not have.  Thanks for your 
> help.  I am that much closer to having 2000 Faculty/Staff users start using 
> the system.

Ok, good to know things are working again!

Please try to keep the list posted.

Cheers - Michael

> Thanks,
> 
> Gary
> 
> 
> 
> 
> 
> On 3/26/2010 6:15 AM, Michael Adam wrote:
> >Gary Peck wrote:
> >   
> >>I have actually tired that and could not get that to work.  At least it
> >>does not work on the version of samba that is bundled with Solaris 10
> >>(3.0.37).
> >>
> >>passdb backend = ldap:"ldap://ldap1.example.com ldap://ldap2.example.com"
> >>--- This causes a core dump
> >>     
> >oh, i mis-spelled ldap: instead of ldapsam:
> >
> >   
> >>passdb backend = ldapsam:"ldap://ldap1.example.com
> >>ldap://ldap2.example.com" smbpasswd username fails connecting to primary
> >>ldap server and just errors out.
> >>     
> >Hmm, what ldap library are you using? reading from the smb.conf
> >manpage:
> >
> >   
> >>>>>>  -  ldapsam - The LDAP based passdb backend. Takes an LDAP URL as an 
> >>>>>>  optional argument (defaults to
> >>>>>>     ldap://localhost)
> >>>>>>
> >>>>>>     LDAP connections should be secured where possible. This may be 
> >>>>>>     done using either Start-TLS (see
> >>>>>>     ldap ssl) or by specifying ldaps:// in the URL argument.
> >>>>>>
> >>>>>>     Multiple servers may also be specified in double-quotes. Whether 
> >>>>>>     multiple servers are supported
> >>>>>>     or not and the exact syntax depends on the LDAP library you use.
> >>>>>>
> >>>>>>      Examples of use are:
> >>>>>>
> >>>>>>     passdb backend = tdbsam:/etc/samba/private/passdb.tdb
> >>>>>>
> >>>>>>     or multi server LDAP URL with OpenLDAP library:
> >>>>>>
> >>>>>>     passdb backend = ldapsam:"ldap://ldap-1.example.com 
> >>>>>>     ldap://ldap-2.example.com"
> >>>>>>
> >>>>>>     or multi server LDAP URL with Netscape based LDAP library:
> >>>>>>
> >>>>>>     passdb backend = ldapsam:"ldap://ldap-1.example.com 
> >>>>>>     ldap-2.example.com"
> >>>>>>             
> >So it depends on your LDAP client library and the example I gave you is 
> >valid
> >for openLDAP, possibly not for yours, if it supports multiple servers at 
> >all.
> >You could try the second syntax ldapsam:"ldap://ldap-1.example.com 
> >ldap-2.example.com".
> >
> >The bottom line is that the string between the quotes has to be a valid 
> >string
> >accepted by the ldap init routine of your library...
> >
> >Cheers - Michael
> >
> >   
> >>It seems to be the 3.0.22 release that I remember seeing a not that ldap
> >>failover was deprecated for some reason.  The only way I have been able
> >>to get any type of failover is setting up a DNS entry to round robin
> >>between two Sun DS7 multimaster directory servers.
> >>
> >>Thanks,
> >>
> >>Gary
> >>
> >>On 3/25/2010 3:16 PM, Michael Adam wrote:
> >>     
> >>>Hi Gary,
> >>>
> >>>Gary Peck wrote:
> >>>
> >>>       
> >>>>After trying multiple options in the smb.conf file the only way I could
> >>>>get fail over to work was having two ldap servers setup in a multimaster
> >>>>replication and having a DNS entry setup that round robins between the
> >>>>two.  Everything seems to work,  I can bring down one ldap server and
> >>>>samba will still authenticate and let users in.  Anybody know of any
> >>>>issues doing it this way?
> >>>>
> >>>>Thanks,
> >>>>
> >>>>Gary
> >>>>
> >>>>
> >>>>         
> >>>>>If I have read the documentation correctly, it looks like you can not
> >>>>>have a fail over LDAP server defined in the smb.conf file for the 
> >>>>>passdb
> >>>>>backend.  It looks like this feature was taken away in an earlier
> >>>>>release.  Is this correct?  If not could somebody steer me in the right
> >>>>>direction.
> >>>>>
> >>>>>           
> >>>Is the question how to specify multiple ldap servers in smb.conf?
> >>>If so, here is the answer:
> >>>
> >>>    passdb backend = ldap:"ldap://ldap1.example.com
> >>>    ldap://ldap2.example.com"
> >>>
> >>>I.e. put a spaces separated list of ldap urls into quotes.
> >>>
> >>>If that was not your question, please clarify.
> >>>
> >>>Cheers - Michael
> >>>
> >>>       
> >>     
> >   
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 206 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20100326/b2637fa8/attachment.pgp>

More information about the samba mailing list