Re: Round-robin LDAP

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Arthur de Jong <arthur [at] arthurdejong.org>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: Re: Round-robin LDAP
Date: Mon, 17 Feb 2014 23:11:12 +0100

On Thu, 2014-02-13 at 09:33 +0100, Dennis Leeuw wrote:
> I hope this is the right list to post this to, since I have no clue
> what is responsible for what we are experiencing. Hope someone can
> point me in the right direction.

This is the right list for questions about nss-pam-ldapd.

> We have two subnets
> 192.168.196.
> 192.168.222.
> 
> Our main LDAP servers run in 192.168.196. and are load-balanced by
> round-robin DNS. The 192.168.196. network is exhausted, so we added a
> new LDAP slave to 192.168.222. and added the IP address to the
> round-robin pool. But it seems that it is only used by other servers
> in the 192.168.222 network and not by servers in the 192.168.196.
> network
> 
> Further testing seems to prove that LDAP resolving preferes servers in
> their own subnet regardless of the DNS round-robin setup.

I'm not 100% sure when OpenLDAP (the LDAP library that nss-pam-ldapd
uses) expands hostnames to IP addresses. It could be that something
keeps cached entries around of addresses (longer than than DNS TTL).

As far as I know there is nothing in OpenLDAP that prefers certain
(their own) subnets over others.

If you have configured multiple LDAP servers in nslcd.conf nslcd will
normally only connect to the first one and only fail over to the second
one if the first one becomes unreachable.

One thing to keep in mind is that hostname resolution can be quite
complex. At least the following configuration files
apply: /etc/nsswitch.conf, /etc/resolv.conf, /etc/hosts,
/etc/host.conf and /etc/nscd.conf.

I think the closest that you can do on the command-line to simulate how
a "normal" application does hostname lookups is:
  getent ahosts servername

For details about how OpenLDAP libraries resolve hostnames the
openldap-technical list is probably the best place to go.

Hope this helps.

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

Round-robin LDAP, Dennis Leeuw
- Re: Round-robin LDAP, Arthur de Jong

Prev by Date: Round-robin LDAP
Next by Date: Re: Round-robin LDAP
Previous by thread: Round-robin LDAP
Next by thread: Re: Round-robin LDAP