Re: Round-robin LDAP

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Dennis Leeuw <D.Leeuw [at] umcutrecht.nl>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Round-robin LDAP
Date: Tue, 18 Feb 2014 09:55:25 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Arthur,

That you for your respons.

On 02/17/2014 11:11 PM, Arthur de Jong wrote:
> On Thu, 2014-02-13 at 09:33 +0100, Dennis Leeuw wrote:
>> I hope this is the right list to post this to, since I have no
>> clue what is responsible for what we are experiencing. Hope
>> someone can point me in the right direction.
> 
> This is the right list for questions about nss-pam-ldapd.
> 
>> We have two subnets 192.168.196. 192.168.222.
>> 
>> Our main LDAP servers run in 192.168.196. and are load-balanced
>> by round-robin DNS. The 192.168.196. network is exhausted, so we
>> added a new LDAP slave to 192.168.222. and added the IP address
>> to the round-robin pool. But it seems that it is only used by
>> other servers in the 192.168.222 network and not by servers in
>> the 192.168.196. network
>> 
>> Further testing seems to prove that LDAP resolving preferes
>> servers in their own subnet regardless of the DNS round-robin
>> setup.
> 
> I'm not 100% sure when OpenLDAP (the LDAP library that
> nss-pam-ldapd uses) expands hostnames to IP addresses. It could be
> that something keeps cached entries around of addresses (longer
> than than DNS TTL).

We have now been running with this setup for 6 days. NSCD says:

        enable-cache            hosts           yes
        positive-time-to-live   hosts           3600
        negative-time-to-live   hosts           20

So it should be expired by now...

> As far as I know there is nothing in OpenLDAP that prefers certain 
> (their own) subnets over others.
> 
> If you have configured multiple LDAP servers in nslcd.conf nslcd
> will normally only connect to the first one and only fail over to
> the second one if the first one becomes unreachable.

Exactly, that's why we setup DNS round-robin in the first place.
That's how the old ldap.conf from NSS worked also.

> One thing to keep in mind is that hostname resolution can be quite 
> complex. At least the following configuration files apply:
> /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts, /etc/host.conf
> and /etc/nscd.conf.
> 
> I think the closest that you can do on the command-line to simulate
> how a "normal" application does hostname lookups is: getent ahosts
> servername

Tried that on several servers and it showed the exact round-robin
behaviour that I expect, and which I also get with the host command.

> 
> For details about how OpenLDAP libraries resolve hostnames the 
> openldap-technical list is probably the best place to go.
> 
> Hope this helps.

I will ask the OpenLDAP people to see if they can help with this
issue. I am still puzzled. Thanks again for the detailed explanation,
highly appreciated.

Dennis

- -- 
ICT Medewerker
Divisie Biomedische Genetica
UMC Utrecht
Heidelberglaan 100 STR2.126
3584 CX  Utrecht
The Netherlands
06 27744048
intern: 64048
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTAx/9AAoJEMVYYpdbQscoNbwH/Ru6ib4qJDAsXzLd8Mgq/lqR
IEDqHeBYHDpqFVrjtZdzRF0xqrYF7ZmNWGMR34UNDZcNLpJ3xCQquLYWfa8+zFuz
JUBDpJc2zoR0sL5srVf8B5UEfU442I5ie/OTbVdPgjPNZZVaPRrevr9snr7WJUzl
hXS9C3S2yg02Fm/sMIMr/jzcXYftYsRc2cli4QUJDomc2NJe439+Ke3ei8GGuCDK
cLlqwMGug5RTupyMOm2Ua23h4X3sgwdVueiDzz1O2dRJoyMaE1xw1WnAuST96dWm
/CRkDrOlqboTXN2CZ98RQijv6Kf0hO2t3HAMORL4f6zLheuuDblhnaop6CXljSw=
=tynW
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is
uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht
ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct
te informeren door het bericht te retourneren. Het Universitair Medisch
Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W.
(Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij
de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197.

Denk s.v.p aan het milieu voor u deze e-mail afdrukt.

------------------------------------------------------------------------------

This message may contain confidential information and is intended exclusively
for the addressee. If you receive this message unintentionally, please do not
use the contents but notify the sender immediately by return e-mail. University
Medical Center Utrecht is a legal person by public law and is registered at
the Chamber of Commerce for Midden-Nederland under no. 30244197.

Please consider the environment before printing this e-mail.
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Round-robin LDAP, Dennis Leeuw
- Re: Round-robin LDAP, Arthur de Jong
  - Re: Round-robin LDAP, Dennis Leeuw

Prev by Date: Re: Round-robin LDAP
Next by Date: Root denied login if networking down
Previous by thread: Re: Round-robin LDAP
Next by thread: Root denied login if networking down