I’m having a problem where I have two PrivacyIDEA servers set up, and the underlying MySQL DB is set up with master-master replication. Everything seems to work fine until I created the LDAP User Resolver. When I created it, along with policies and other changes, those changes and settings replicate successfully. It works both directions.
The problem is when it comes to the LDAP User Resolver. The Resolver itself was replicated, along with all the settings, however only the server I created it on can actually pull up the user list. The other server gives an error,
"LDAPServerPoolExhaustedError(‘no active server available in server pool after maximum number of tries’) "
Both servers are on the same subnet as the LDAP server, so no FW in between. I’ve confirmed that I can telnet from both servers to the LDAP server on 389. A TCPDUMP on the LDAP server, configured to listen to all traffic from the servers shows results (as expected) from the PrivacyIDEA server that is working, but no results from the one that isn’t. So, the request is never leaving the PrivacyIDEA server.
I’ve searched the forum and found a few posts about this, and the answer is always the same…make sure pi.cfg and the encryption keys are identical between the two servers. I’ve confirmed they are using MD5sums. I’ve verified pi.cfg, enckeys, private.pem and public.pem are identical.