atom feed30 messages in org.openldap.openldap-softwareRe: failover config: servers with sam...
FromSent OnAttachments
Emmanuel DreyfusJul 23, 2007 6:51 am 
Quanah Gibson-MountJul 23, 2007 11:01 am 
Emmanuel DreyfusJul 23, 2007 1:09 pm 
Quanah Gibson-MountJul 23, 2007 1:18 pm 
Russ AllberyJul 23, 2007 4:35 pm 
Christopher CowartJul 23, 2007 7:40 pm 
Howard ChuJul 23, 2007 9:58 pm 
Emmanuel DreyfusJul 24, 2007 1:02 am 
Howard ChuJul 24, 2007 1:54 am 
Emmanuel DreyfusJul 24, 2007 12:18 pm 
Quanah Gibson-MountJul 25, 2007 8:53 am 
Emmanuel DreyfusJul 25, 2007 9:07 am 
Quanah Gibson-MountJul 25, 2007 9:48 am 
Michael StröderJul 25, 2007 9:53 am 
Emmanuel DreyfusJul 25, 2007 10:36 am 
Quanah Gibson-MountJul 25, 2007 10:47 am 
Howard ChuJul 25, 2007 2:31 pm 
Michael StröderJul 25, 2007 2:39 pm 
Howard ChuJul 25, 2007 2:45 pm 
Russ AllberyJul 25, 2007 2:46 pm 
Norman GaywoodJul 25, 2007 3:04 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Emmanuel DreyfusJul 25, 2007 8:31 pm 
Howard ChuJul 25, 2007 11:18 pm 
Ralf HaferkampJul 26, 2007 1:28 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Emmanuel DreyfusJul 26, 2007 4:04 am 
Donn CaveJul 26, 2007 9:39 am 
Ralf HaferkampJul 26, 2007 11:47 am 
Howard ChuJul 27, 2007 2:14 am 
Subject:Re: failover config: servers with same DNS address and TLS, subjectAltName extension
From:Emmanuel Dreyfus (ma@netbsd.org)
Date:Jul 25, 2007 8:31:22 pm
List:org.openldap.openldap-software

Norman Gaywood <ngay@une.edu.au> wrote:

The DNS contains this records: srv1 IN A 192.0.2.4 srv2 IN A 192.0.2.5 ldap 1 IN A 192.0.2.4 ldap 1 IN A 192.0.2.5

As the text says, this is multiple LDAP servers answering on the same DNS address. Where is the "fail-over" part? Is that assumed to be configured somewhere else?

On the client, you have this in ldap.conf URI ldaps://ldap.example.net:636

The client will spread its requests on srv1 and srv2. If one is down, then it will try the next one until one works.

The worst case is if one of {srv1, srv2} accept the connexion but take forever to answer (a situation you can have in some kernel crashes, on heavy loads, or if you simulated it by sending a kill -STOP to slapd). In that situation the client connects and will timeout. The timeout setting is left to the application. pam_ldap has bind_timelimit, for instance. OpenLDAP command-line tools (ldapsearch and friends) are stick with a hardcoded timeout that cannot be user-configured without rebuilding the sources.

No doubt this question is outside the scope of this list, but it would be useful to have this clarified if this thread lives on to be a HOWTO.

IMO, it's not outside the scope of the list. The list is about using OpenLDAP for doing things with it, right?