-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am attempting to setup an openldap proxy, which i'd like to connect to a number of openldap directories in a round-robin fashion. There are currently 2 ldap servers, with a round-robin DNS hostname pointing to them.
I setup openldap to proxy to this hostname, but it seems that when i actually connect to the proxy, it picks one of the addresses, and holds on to it. If it gets the second server on its first connection, it then continues to use that server.
Is there a way to make openldap connect to each server? Whether it uses the round robin hostname or not is irrelevant. Two methods I can think of would be to somehow keep slapd from caching the dns name. Or if I can specify each server separately in the slapd.conf on the proxy.
Thanks!
- -- - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Nathan Lager System Administrator 11 Pardee Hall Lafayette College, Easton, PA 18042 610-330-5907
You could force a short ldap timeout on the server, so the server will drop the connection after a certain amount of inactivity.
AFAIK from the client's perspective LDAP connection stays open once established, until the TCP/IP connection is lost. This can mean the server dropping the connection due to inactivity, which is a poor man's round robin.
Even if you had a hardware content switch, you can only round robin "new" connections, you wouldn't want to forcefully / randomly terminate (non-timed out) established connections for data safety, as thie client might be in the middle of doing some critical ldap transaction which takes several operations to complete etc.,
Importantly though, the ldap client application(s) should be written with clustering in mind:
a. app should make a connection, do some stuff, then disconnect. There cannot be long duration connection caching if you want to make sure the load is spread evenly over your ldap cluster.
b. app should retry idempotent operations at least once, to cover the case it tries to use a "stale" connection which has just been terminated due to inactivity.
Cheers Brett
On Thu, May 14, 2009 at 6:32 AM, Nathan Lager lagern@lafayette.edu wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I am attempting to setup an openldap proxy, which i'd like to connect to a number of openldap directories in a round-robin fashion. There are currently 2 ldap servers, with a round-robin DNS hostname pointing to them.
I setup openldap to proxy to this hostname, but it seems that when i actually connect to the proxy, it picks one of the addresses, and holds on to it. If it gets the second server on its first connection, it then continues to use that server.
Is there a way to make openldap connect to each server? Whether it uses the round robin hostname or not is irrelevant. Two methods I can think of would be to somehow keep slapd from caching the dns name. Or if I can specify each server separately in the slapd.conf on the proxy.
Thanks!
Thanks for the info, and suggestions. I don't know that the idle time out will work in this situation, but I'll give it a try, and see how it works.
Thanks!
Brett @Google wrote:
You could force a short ldap timeout on the server, so the server will drop the connection after a certain amount of inactivity.
AFAIK from the client's perspective LDAP connection stays open once established, until the TCP/IP connection is lost. This can mean the server dropping the connection due to inactivity, which is a poor man's round robin.
Even if you had a hardware content switch, you can only round robin "new" connections, you wouldn't want to forcefully / randomly terminate (non-timed out) established connections for data safety, as thie client might be in the middle of doing some critical ldap transaction which takes several operations to complete etc.,
Importantly though, the ldap client application(s) should be written with clustering in mind:
a. app should make a connection, do some stuff, then disconnect. There cannot be long duration connection caching if you want to make sure the load is spread evenly over your ldap cluster.
b. app should retry idempotent operations at least once, to cover the case it tries to use a "stale" connection which has just been terminated due to inactivity.
Cheers Brett
openldap-technical@openldap.org