lists.arthurdejong.org
RSS feed

Re: Using a specific NIC

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Using a specific NIC



Full Name wrote:
> I have a CentOS 7 system where I am running the nss-pam-ldapd module in order 
> to obtain users' attributes from a remote LDAP server. This works as 
> expected, but I have the following issue:
> 
> I want to do the same thing on a different CentOS 7 system which comes with 
> several functional NICs. In this system, the LDAP server is reachable from 
> just one of those NICs. How can I force the nss-pam-ldapd module to use that 
> specific NIC? The nslcd.conf file does not seem to afford the capability to 
> do so. Can this be done without hacking the nss-pam-ldapd source code?

The nss and pam modules talk to a local daemon, nslcd.
It is documented in nslcd(8) and nslcd.conf(5) manpages.
nslcd finds your LDAP server via a URI, e.g.

    ldaps://ldap.example.edu/

I don't see a way to force it to route via a particular interface, but
if your routing table is sensible, that should Just Work.

Look at "ip route", and possibly "ip rule".

If you're a boring router and just have one interface for each network
(e.g. one "internet" iface and one "lan" iface), it should all Just
Work with no special magic.

If you have multiple ifaces that go to the same destination, you might
be getting response packets coming back from the wrong iface.
Read about "triangle routing", "rp_filter", and possibly "hairpin NAT".
Use tcpdump or tshark/wireshark/termshark to diagnose.
Remember that ICMP and UDP are connectionless, but TCP (and thus LDAP)
are connection-oriented, so will be Deeply Unhappy about triangle routing.

Multiple independent uplinks (that aren't bonded into a single logical link) 
are pretty rare.
The documentation about them is old and poor, try the lartc website.
I also have some old addenda here: http://cyber.com.au/~twb/doc/dual-uplink.txt