![]() ![]() If Pexip Infinity cannot contact the configured LDAP server, the support log will contain an entry similar to this: T11:15:00.550+00:00 mgmt 11:15:00,550 Level="INFO" Name="support.ldap" Message="Successfully connected to LDAP server" Address="" Uri="ldaps://" Unable to contact the LDAP server When Pexip Infinity connects successfully to the LDAP server, the support log will contain an entry similar to this: Connectivity error messages and using the support logĭiagnostic information is also recorded in the support log ( Status > Support log). If multiple addresses are returned by SRV lookups, the system will attempt to connect to each address in priority order. Only TLS connections are attempted as a result of _ldaps lookups. If the TLS connection attempt fails, the system will then attempt a TCP connection, but only if Allow insecure transport is enabled. When a DNS lookup is successful, the system will first attempt to establish a TLS connection with the server at the returned address. Perform a DNS SRV lookup against _ldap._tcp.Perform a DNS SRV lookup against _ldaps._tcp.If the LDAP server address is configured as an IP address, the system will connect directly to the given address, otherwise it treats it as a domain or FQDN and attempts to resolve the address via DNS lookups in the following sequence: Requests to search the Active Directory Global Catalog use ports 3268 (TCP) and 3269 (TLS). The system will connect to the port returned by an SRV lookup, otherwise it will connect to 389 (TCP) or 636 (TLS). In addition, the resolved LDAP server address must match the CN (common name) contained within the certificate presented by the LDAP server. the LDAP server’s certificate must be signed by an authority within the Pexip Infinity trusted CA certificates store. To establish a TLS connection, the Pexip Infinity platform must trust the certificate presented by the LDAP server i.e. If that fails it may fall back to a TCP connection if allowed. The system always tries in the first instance to set up a TLS connection with the LDAP server. When resolving the LDAP server address, the system supports DNS SRV and DNS A/AAAA lookups. Note that all LDAP distinguished names must be entered as per the LDAP standard ( RFC 4514). This section explains how Pexip Infinity connects to the LDAP server, and provides guidance on how to troubleshoot connection problems. authenticate and authorize the login accounts that are allowed to connect to the Pexip Infinity Administrator interface or the Pexip Infinity API.bulk-provision individual Virtual Meeting Rooms or devices for every member of the directory.If it's just uptime you're concerned about, how about adding one of the Mac Mini servers as a replica? They aren't up for high-throughput serving by any means, but as an emergency backup I'd consider them just the thing.Pexip Infinity can be configured to connect to a Windows Active Directory LDAP server, or any other LDAP-accessible database, in order to: And if you don't have those services backed up, there's not much benefit to replicating LDAP. So you could do LDAP replication, but I don't think password server and KDC replicas are practical. Note that there are also LDAP records under cn=config telling clients where all the available password servers and KDCs are the Kerberos one is fairly obvious, but the password server one is harder to make out. except that it depends on the password server for replication (the password servers in a replica network update each other about new passwords, and then each one is responsible for updating the Kerberos KDC on the same server). As far as I can tell, Apple's extended the CMU SASL code considerably, so I don't think it's going to be possible to copy it without massive effort. Password service and Kerberos are much harder. Replicating the LDAP component shouldn't be too hard - configure syncrepl as with any other OpenLDAP implementation, then add the extra server(s) URL(s) as values of the apple-ldap-replica attribute of the cn=ldapreplicas,cn=config,whateveryoursearchbaseis record in LDAP (this tells the clients about the replica(s). An Open Directory domain is actually 3 semi-integrated services: LDAPv3 for most data (provided by a fairly standard OpenLDAP server), Kerberosv5 KDC for single-signon authentication (provided by MIT's Kerberos implementation, with a few tweaks), and a SASL-based password server for other types of authentication (provided by something at least partly based on a CMU SASL project). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |