Norman Gaywood ngaywood@une.edu.au wrote:
The DNS contains this records: srv1 IN A 192.0.2.4 srv2 IN A 192.0.2.5 ldap 1 IN A 192.0.2.4 ldap 1 IN A 192.0.2.5
As the text says, this is multiple LDAP servers answering on the same DNS address. Where is the "fail-over" part? Is that assumed to be configured somewhere else?
On the client, you have this in ldap.conf URI ldaps://ldap.example.net:636
The client will spread its requests on srv1 and srv2. If one is down, then it will try the next one until one works.
The worst case is if one of {srv1, srv2} accept the connexion but take forever to answer (a situation you can have in some kernel crashes, on heavy loads, or if you simulated it by sending a kill -STOP to slapd). In that situation the client connects and will timeout. The timeout setting is left to the application. pam_ldap has bind_timelimit, for instance. OpenLDAP command-line tools (ldapsearch and friends) are stick with a hardcoded timeout that cannot be user-configured without rebuilding the sources.
No doubt this question is outside the scope of this list, but it would be useful to have this clarified if this thread lives on to be a HOWTO.
IMO, it's not outside the scope of the list. The list is about using OpenLDAP for doing things with it, right?