LDAP Resolver Issue - Two PI instances with Master-Master Replication

Question
1

I’ve installed 2 PI instances in two different servers hosted at different locations. Enabled M2M for sync btwn. I have a requirement like PI needs to reach 4 LDAP servers with a single resolver. Configured the same way.

I’ve two LDAP servers(Primary/Redundancy) at one pool and the other two(Primary/Redundancy) at the second pool. And FYI all of these 4 LDAP servers were in sync over P2P.

Now my issue is that I can able to resolve only one PI instance and the other throws resolver error. Can someone suggest on this? Is it like some delay in my LDAP response time or I missed somewhere here?

Regards,
Stan

2

What do you mean by that?

  1. Take a look at the log file.
  2. look at your resolver- and realm-config and or post it here.
3

Hi Conelinux,

When I bind my LDAP account to one PI node, the other PI node throws an error ‘wrong credentials’. Found this error on Privacyidea logs.

Regards,
Stan

4

To be more clear on this ,

  1. I have deployed two PI servers in two different pools and enabled sync between over p2p.

  2. I have 4 LDAP servers 2 at one pool and the other 2 at second pool.

  3. All these 4 LDAP servers are in sync in turn , I mean if I reset password for an account in LDAP1 , it reflects in rest of 3 LDAP servers too.

  4. Two PI servers can reach all the 4 LDAP servers individually.

  5. These 2 PI servers are on Master - Master DB Replication.

Now my question is… Consider a scenario, where

  1. I have configured LDAP1,LDAP2,LDAP3,LDAP4 in PI Node 1.

  2. As it’s on replication same configuration applies for PI Node 2 as well.

  3. This is like a priority base reach right ? I mean if LDAP1 is down or unreachable the request shifts to LDAP2 next to LDAP3 and LDAP4 with respect to my configuration.

  4. Now say like my Node 1 has a reach to LDAP1 and resolves with no issues but say my Node 2 fails to reach LDAP1 due to some n/w issues btwn Node2 and LDAP1 alone. In this case Node2 needs to resolve using LDAP2 as a next hop but fails in my case as Node 2 throws an error Wrong Credentials.

  5. I tried to reset password for my bind account individually in all 4 LDAPs assuming some delay in sync btwn them and hardly found no much delay.

  6. When I re enter pwd in resolver config and Test Resolver on Node 1 it can resolve but its failing on Node 2 which throws an error Wrong Credentials. And when I try it on Node 2 it resolves but I get the same error on Node 1.

Regards,
Stan

5

You need the same encryption keys on both privacyIDEA servers.
The LDAP password and other sensitive data get encrypted in the database. So both privacyIDEA nodes need the same encryption keys.

Don’t overcomplicate things, before you have the basis right!

6

Hi Cornelinux,

Thanks a ton! Appreciate your timely response.

I’ve copied the enckey from Node1 to Node2 and restarted DB & Web services, feels like my LDAP sync issue got fixed. But I’m experiencing a lag in accessing UI since the changes. Any suggestions on this ? Im hosting both the PI instances on VM’s of 16Gig RAM, 300GB Disk Space and a 8 Core Processor.

Regards,
Stan