On 09/02/2015 04:10 AM, Andrew Findlay wrote:
Depending on exactly what you want to achieve, you may not need to
a separate service at all.
Much LDAP client software allows you to specify multiple servers,
which will be tried in rotation until one answers. This gives protection
against unreachable servers.
Yup, this is probably the best/easiest way.
6 or 7 years ago, more as an experiment and proof of concept, I
setup multiple OpenLDAP servers in an OSPF anycast. So one, special, IP
address could be used but it could be any one of multiple servers that
answered. The way an OSPF-anycast works is you have an IP in a normally
non-routable subnet ifconfig'd as a secondary IP on each OpenLDAP
server. Then each OpenLDAP server runs a routing daemon and does an
OSPF route announcement for the service-IP. The routing infrastructure,
then, learns of a new route to this service-IP via the various OpenLDAP
Usually this is used for services you want to be geographically
diverse, where you want one IP to always route to the nearest, UP,
server. The routing infrastructure takes care of figuring out which
server is the closest and sends the traffic there.
Obviously some care has to be taken in how the load-balancing is
done by the routers if they have multiple equal-cost routes to the same
service-IP, and you have to have some form of watchdog that pulls down
the route if the OpenLDAP server is offline for some reason. But in a
lab environment, it worked fine for me.
Have I mentioned that just making sure your clients support and know
about multiple LDAP servers is easier? :-)