LDAP User Resolver with MySQL Master-Master replication

bnort81 · December 27, 2018, 2:03pm

I’m having a problem where I have two PrivacyIDEA servers set up, and the underlying MySQL DB is set up with master-master replication. Everything seems to work fine until I created the LDAP User Resolver. When I created it, along with policies and other changes, those changes and settings replicate successfully. It works both directions.

The problem is when it comes to the LDAP User Resolver. The Resolver itself was replicated, along with all the settings, however only the server I created it on can actually pull up the user list. The other server gives an error,

"LDAPServerPoolExhaustedError(‘no active server available in server pool after maximum number of tries’) "

Both servers are on the same subnet as the LDAP server, so no FW in between. I’ve confirmed that I can telnet from both servers to the LDAP server on 389. A TCPDUMP on the LDAP server, configured to listen to all traffic from the servers shows results (as expected) from the PrivacyIDEA server that is working, but no results from the one that isn’t. So, the request is never leaving the PrivacyIDEA server.

I’ve searched the forum and found a few posts about this, and the answer is always the same…make sure pi.cfg and the encryption keys are identical between the two servers. I’ve confirmed they are using MD5sums. I’ve verified pi.cfg, enckeys, private.pem and public.pem are identical.

Any ideas?

Thanks!

cornelinux · December 27, 2018, 6:46pm

This is most probably a DNS issue on the 2nd machine!

bnort81 · December 28, 2018, 6:08am

I thought that might be the case also, but they are using the same DNS servers and an NSLOOKUP of the LDAP servers returned identical results on them.

bnort81 · December 28, 2018, 6:45am

I had previously stated (and since deleted) that an LDAP search from the command line of both servers had different results, where it was successful on the PrivacyIDEA server that worked and unsuccessful on the one that didn’t. When I went back and looked, I had copied and pasted the command to the second server and somehow a space got put in to the query, which is why I received results on one and not the other. When I spotted the mistake and corrected it, I received successful results on both servers. So, it appears to be a PrivacyIDEA issue, not something with the server config or network.

bnort81 · December 28, 2018, 8:01am

ARGH. It WAS a server issue. I had remembered to disable SELinux on the server that was working, but had forgotten on the one that wasn’t. After a disable & reboot, everything is working fine now. Hopefully this post will help someone else remember to check the basics before asking for help.