Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
So I've set up an LDAP enviroment (using Fedora Directory Server....they are going to call it 389 Directory Server now for some reason...but anyway) for my servers to get login information...
This works perfectly and all machines (about 25) are using this LDAP server for login information.
So since 25 machines are depending on this ldap server I decided to put ldap2.example.com into production and I have a replication working (and all that is working fine).
So here is my question:
What if ldap1.example.com where to fail (as all machines do fail at one point or another)?
I would have too manually go to each machine and change LDAP server.
Is there anyway to have an "auto failover"? i.e. If ldap1.example.com would to go "offline" the host would "automagically" look for ldap2.example.com
Is this possible?
(I'm using Centos 5.3 with Fedora Directory Server...aka CDS)
OPTIONS
The configuration options are case-insensitive; their value, on a case by case basis, may be case-sensitive. The different con-
figuration options are:
URI <ldap[s]://[name[:port]] ...>
Specifies the URI(s) of an LDAP server(s) to which the LDAP library should connect. The URI scheme may be either ldap or
ldaps which refer to LDAP over TCP and LDAP over SSL (TLS) respectively. Each server’s name can be specified as a
domain-style name or an IP address literal. Optionally, the server’s name can followed by a ’:’ and the port number the
LDAP server is listening on. If no port number is provided, the default port for the scheme is used (389 for ldap://,
636 for ldaps://). A space separated list of URIs may be provided.
I will play with this for a while and post my results since I'm probably not the only one with this question
Just specify multiple servers in your ldap.conf. Off hand I think you just separate them with spaces on a single line.
If you don't want that then you'd want to look at a vip across the two boxes, or a load balancer out front, but with this lower level sort of access i'd encourage pushing the resiliency as far back to the client as possible, even though it will cause some slightly undesirable delays during the failover and such, as it makes the architecture much simpler.
Just specify multiple servers in your ldap.conf. Off hand I think you just separate them with spaces on a single line.
If you don't want that then you'd want to look at a vip across the two boxes, or a load balancer out front, but with this lower level sort of access i'd encourage pushing the resiliency as far back to the client as possible, even though it will cause some slightly undesirable delays during the failover and such, as it makes the architecture much simpler.
Thanks!
Actually I'm not interested in "load balancing"...just the failover.
I will play around with some scenarios and see if I get the desired results...
Just specify multiple servers in your ldap.conf. Off hand I think you just separate them with spaces on a single line.
If you don't want that then you'd want to look at a vip across the two boxes, or a load balancer out front, but with this lower level sort of access i'd encourage pushing the resiliency as far back to the client as possible, even though it will cause some slightly undesirable delays during the failover and such, as it makes the architecture much simpler.
Quick question...
Is it possible to specify more than one ldap server in the authconfig command? Or am I better off manually editing the /etc/ldap.conf file?
Actually I'm not interested in "load balancing"...just the failover.
I will play around with some scenarios and see if I get the desired results...
-C
Load balancing stuff like this is nice. It proves that all available instances of a service are functional. What use is a failover scenario if the box you fail over to is broked, but you don't know because nothing has used it for months? It's not always about handling large volumes.
Load balancing stuff like this is nice. It proves that all available instances of a service are functional. What use is a failover scenario if the box you fail over to is broked, but you don't know because nothing has used it for months? It's not always about handling large volumes.
I know it's probably worth looking into...
We have a F5 BigIP...I wonder if that will do it? I'll talk to my networking guy for some more info...
Oh man, i live for F5's... hell yeah that'll do an awesome job, network admins shouldn't own them though... have it doing a search against both servers every minute or so with observed load balancing, lovely. Exactly what we have where I work.
Oh man, i live for F5's... hell yeah that'll do an awesome job, network admins shouldn't own them though... have it doing a search against both servers every minute or so with observed load balancing, lovely. Exactly what we have where I work.
Sorry, I can't do it all you know
So I did some tests...and just an FYI...this syntax works perfectly...
Anyway; So I used the above on my client and I shutdown ldap1.example.com and it took...I dunno...half a second (and I'm rounding it up) to "failover". Which isn't bad...but I think that I will still utilize the F5 (since it's there and I can use it...I might as well do it "right" on roll-out )
Anyway so this is my plan...
2 LDAP servers (with replication) behind a load balancer and home directories on an NFS share on my NetApp.
Now if I can only get sudo into ldap (still can't get that working right lol )
As above I would probably steer clear of appliances for loadbalancing here. F5's are THE best in the market by a long way, and at £40k per box, you'd hope so, but doing it via a them adds additional hops on your network which is not ideal for something that low level. Load balancers DO fail, but what can't fail is not-a-load-balancer. use them for higher level services, e.g. commercial websites, MQ proxying, citrix LB etc... but not for things like this.
As above I would probably steer clear of appliances for loadbalancing here. F5's are THE best in the market by a long way, and at £40k per box, you'd hope so, but doing it via a them adds additional hops on your network which is not ideal for something that low level. Load balancers DO fail, but what can't fail is not-a-load-balancer. use them for higher level services, e.g. commercial websites, MQ proxying, citrix LB etc... but not for things like this.
Thanks for the info
The "failover" doesn't take that long and I'm still weighing my options...so I'll post what I end up doing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
