Re: [nssldap] Connection persistence

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Jim Willeke <jim [at] willeke.com>
To: James Davis <james.davis [at] ja.net>
Cc: nssldap [at] padl.com
Subject: Re: [nssldap] Connection persistence
Date: Thu, 4 Nov 2010 10:00:59 -0400

IMHO, typically the code used for fail over is not very rich and lacks many of the features people desire as you have noted.

We have found it is bes to use a layer4 switch between the users and multiple LDAP server as the layer4 switches typically have more features.

-jim
Jim Willeke

On Thu, Nov 4, 2010 at 8:29 AM, James Davis <james.davis [at] ja.net> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Running Debian/etch (to be upgraded soon) and libnss-ldap 251-7.5etch1.

I've two OpenLDAP servers in different data centres, and have been
testing fail over between the two by blocking the primary LDAP server
with iptables. Something like...

iptables -A OUTPUT -p tcp -d myldapserver/32 --destination-port 636 -j DROP

My first resolution after blocking the primary LDAP server is delayed
slightly as expected when it times out connecting to the primary, but
succeeds after the it tries the secondary. However, libnss-ldap isn't
keeping that connection to the secondary open, and goes through the same
process for each subsequent lookup. In my LDAP server's logs I have
something like:

Nov 4 12:17:25 slapd[21816]: conn=13709 fd=37 ACCEPT from
IP=x.x.x.154:48592 (IP=0.0.0.0:636)
[... query executing successfully ...]
Nov 4 12:17:25 slapd[21816]: ber_get_next on fd 37 failed errno=0 (Success)
Nov 4 12:17:25 slapd[21816]: connection_closing: readying conn=13709
sd=37 for close
Nov 4 12:17:25 slapd[21816]: connection_close: conn=13709 sd=37
Nov 4 12:17:25 slapd[21816]: conn=13709 fd=37 closed (connection lost)
[....]
Nov 4 12:17:46 slapd[21816]: conn=13718 fd=66 ACCEPT from
IP=x.x.x.154:48657 (IP=0.0.0.0:636)
[... query executing successfully ...]
Nov 4 12:17:46 slapd[21816]: ber_get_next on fd 66 failed errno=0 (Success)
Nov 4 12:17:46 slapd[21816]: connection_closing: readying conn=13718
sd=66 for close
Nov 4 12:17:46 slapd[21816]: connection_close: conn=13718 sd=66
Nov 4 12:17:46 slapd[21816]: conn=13718 fd=66 closed (connection lost)

I've checked the configuration and in /etc/libnss-ldap.conf I have the
following set:

nss_connect_policy persist

But it doesn't appear to be taking effect. Any suggestions? Have I
missed something obvious somewhere?

James

- --
James Davis +44 1235 822229 PGP: 0xD1622876
Senior CSIRT Member 0300 999 2340 (+44 1235 822340)
Lumen House, Library Avenue, Didcot, Oxfordshire, OX11 0SG
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzSpykACgkQhZi14NFiKHYgqwCdGm5rDgp10/dWGEykHJChoVtT
mq8AnjE75llNUBYlW2cqmmGSwYeZtTEZ
=XI1N
-----END PGP SIGNATURE-----

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

[nssldap] Connection persistence, James Davis
- Re: [nssldap] Connection persistence, Jim Willeke

Prev by Date: [nssldap] Connection persistence
Next by Date: Re: [nssldap] Connection persistence
Previous by thread: [nssldap] Connection persistence
Next by thread: Re: [nssldap] Connection persistence