I've setup a master and slave ldap service for failover; however, I'd like some advice on how to keep the ldap clients cached with the ldap creds if ever the master and slave ldap server goes. I've tried to extend the time of the caching on nscd - name server caching daemon - but it doesnt work when I add ldap users to certain groups. I've also tried pam caching credentials but doesn't work that well either. Finally, I also tried sssd but couldn't get it to work on my Ubuntu 10.10 clients. Anyone have simple solution that works when slave and master ldap servers get out of commission? I've thought about getent passwd >> /etc/passwd cron job, etc.
Anton Chu wrote:
I've setup a master and slave ldap service for failover; however, I'd like some advice on how to keep the ldap clients cached with the ldap creds if ever the master and slave ldap server goes. I've tried to extend the time of the caching on nscd - name server caching daemon - but it doesnt work when I add ldap users to certain groups. I've also tried pam caching credentials but doesn't work that well either. Finally, I also tried sssd but couldn't get it to work on my Ubuntu 10.10 clients. Anyone have simple solution that works when slave and master ldap servers get out of commission? I've thought about getent passwd >> /etc/passwd cron job, etc.
Setup OpenLDAP nssov on all clients, use proxycache overlay and/or syncrepl to continue operating when servers and/or networks fail.
On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
I've setup a master and slave ldap service for failover;
My failover construction is a bit different, but it works quite nicely, so I 'd like to share this. For a simple and reliable failover I have two LDAP servers in Mirror mode with Keepalived on top of it. This is based on having one virtual IP for both machines. When the one LDAP server (master) that has the IP, fails, all read & write operations are directed to the backup server. When the failed LDAP server comes up again it takes over the IP again and SyncRepl on the slave takes care of updating the master.
Best regards, Kuba
I currently have a Master/Slave Failover setup and I'm planning to deploy 100 ldap clients soon. I'm thinking about installing a Slave LDAP Server in all my ldap clients. I'm sure this will bog down the network but can I program syncrepl to be less chatty between master and slave? I'm planning to point 60 of my clients to the master while the rest will point to the slave. Your thoughts?
Kindest regards, Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb jekvb@gmx.co.uk wrote:
On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
I've setup a master and slave ldap service for failover;
My failover construction is a bit different, but it works quite nicely, so I 'd like to share this. For a simple and reliable failover I have two LDAP servers in Mirror mode with Keepalived on top of it. This is based on having one virtual IP for both machines. When the one LDAP server (master) that has the IP, fails, all read & write operations are directed to the backup server. When the failed LDAP server comes up again it takes over the IP again and SyncRepl on the slave takes care of updating the master.
Best regards, Kuba
100 ldap clients is tiny. Why would you need 100 replicas? Seems massively overkill to me. If you want a couple of replicas for failover and load distribution create a few replicas. You shouldn't need one replica per client...
--Quanah
--On Wednesday, January 26, 2011 1:40 PM -0800 Anton Chu anton.chu@telecommand.com wrote:
I currently have a Master/Slave Failover setup and I'm planning to deploy 100 ldap clients soon. I'm thinking about installing a Slave LDAP Server in all my ldap clients. I'm sure this will bog down the network but can I program syncrepl to be less chatty between master and slave? I'm planning to point 60 of my clients to the master while the rest will point to the slave. Your thoughts?
Kindest regards, Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb jekvb@gmx.co.uk wrote:
On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
I've setup a master and slave ldap service for failover;
My failover construction is a bit different, but it works quite nicely, so I 'd like to share this. For a simple and reliable failover I have two LDAP servers in Mirror mode with Keepalived on top of it. This is based on having one virtual IP for both machines. When the one LDAP server (master) that has the IP, fails, all read & write operations are directed to the backup server. When the failed LDAP server comes up again it takes over the IP again and SyncRepl on the slave takes care of updating the master.
Best regards, Kuba
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Overkill.
Setup two slaves behind a VIP. Point local clients to that vip.
If load is high on them, add nodes.
Setup mirror masters - behind a vip (the prefs one server - no round robin - active/standby). Point slaves (and perhaps any local clients) to that vip.
* If using SSL (and you should be), you'll have to use either wildcard certs or certs using hostname of the vip.
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
________________________________ From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: jekvb@gmx.co.uk jekvb@gmx.co.uk Cc: openldap-technical@openldap.org openldap-technical@openldap.org Sent: Wed Jan 26 14:40:59 2011 Subject: Re: Failover Failure Advice
I currently have a Master/Slave Failover setup and I'm planning to deploy 100 ldap clients soon. I'm thinking about installing a Slave LDAP Server in all my ldap clients. I'm sure this will bog down the network but can I program syncrepl to be less chatty between master and slave? I'm planning to point 60 of my clients to the master while the rest will point to the slave. Your thoughts?
Kindest regards, Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb <jekvb@gmx.co.ukmailto:jekvb@gmx.co.uk> wrote: On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
I've setup a master and slave ldap service for failover;
My failover construction is a bit different, but it works quite nicely, so I 'd like to share this. For a simple and reliable failover I have two LDAP servers in Mirror mode with Keepalived on top of it. This is based on having one virtual IP for both machines. When the one LDAP server (master) that has the IP, fails, all read & write operations are directed to the backup server. When the failed LDAP server comes up again it takes over the IP again and SyncRepl on the slave takes care of updating the master.
Best regards, Kuba
________________________________ This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Hello Anton,
I suggest you'd seriously take a dive into the earlier suggestion I did (see below).
When you're worried about to much network traffic (VRRP can make quite some noise), you can put the two "real" LDAP-servers into a dedicated VLAN, or use a secundary interface on both LDAP-machines and let 'm talk to each other over a crosscable.
Suggestion: start with making a well working Mirror mode replication on two LDAP-servers. If that runs OK, install "some Virtual IP" software en make that work. For the LDAP-clients there's nothing else to do then make them point to the Virtual (or floating) IP.
Regards, Kuba
On Wed, 2011-01-26 at 13:40 -0800, Anton Chu wrote:
I currently have a Master/Slave Failover setup and I'm planning to deploy 100 ldap clients soon. I'm thinking about installing a Slave LDAP Server in all my ldap clients. I'm sure this will bog down the network but can I program syncrepl to be less chatty between master and slave? I'm planning to point 60 of my clients to the master while the rest will point to the slave. Your thoughts?
Kindest regards, Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb jekvb@gmx.co.uk wrote: On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
> I've setup a master and slave ldap service for failover; My failover construction is a bit different, but it works quite nicely, so I 'd like to share this. For a simple and reliable failover I have two LDAP servers in Mirror mode with Keepalived on top of it. This is based on having one virtual IP for both machines. When the one LDAP server (master) that has the IP, fails, all read & write operations are directed to the backup server. When the failed LDAP server comes up again it takes over the IP again and SyncRepl on the slave takes care of updating the master. Best regards, Kuba
openldap-technical@openldap.org
-
Anton Chu -
Chris Jacobs -
Howard Chu -
jekvb -
Quanah Gibson-Mount