You could force a short ldap timeout on the server, so the server will drop
the connection after a certain amount of inactivity.
AFAIK from the client's perspective LDAP connection stays open once
established, until the TCP/IP connection is lost. This can mean the server
dropping the connection due to inactivity, which is a poor man's round
Even if you had a hardware content switch, you can only round robin "new"
connections, you wouldn't want to forcefully / randomly terminate (non-timed
out) established connections for data safety, as thie client might be in the
middle of doing some critical ldap transaction which takes several
operations to complete etc.,
Importantly though, the ldap client application(s) should be written with
clustering in mind:
a. app should make a connection, do some stuff, then disconnect. There
cannot be long duration connection caching if you want to make sure the load
is spread evenly over your ldap cluster.
b. app should retry idempotent operations at least once, to cover the case
it tries to use a "stale" connection which has just been terminated due to
On Thu, May 14, 2009 at 6:32 AM, Nathan Lager <lagern(a)lafayette.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
I am attempting to setup an openldap proxy, which i'd like to connect to
a number of openldap directories in a round-robin fashion.
There are currently 2 ldap servers, with a round-robin DNS hostname
pointing to them.
I setup openldap to proxy to this hostname, but it seems that when i
actually connect to the proxy, it picks one of the addresses, and holds
on to it. If it gets the second server on its first connection, it then
continues to use that server.
Is there a way to make openldap connect to each server? Whether it uses
the round robin hostname or not is irrelevant. Two methods I can think
of would be to somehow keep slapd from caching the dns name. Or if I can
specify each server separately in the slapd.conf on the proxy.