Often times client software doesn't support more than one ldap node.
A VIP using the same cert as the nodes simplifies things (e.g.: cert name ldapvip with
altnames ldap01, ldap02, and ldapvip itself jic). We use ldap pairs (slaves) in all our
environments behind VIPs with the active-spare multi-master pair also behind a VIP (which
is where the slave nodes connect). This has worked well for us; if the VIP is down then
much larger issues are at play, and offers us a lot of flexibility during maintenance let
alone being more immune to system issues.
TL;DR: get a good load balancing solution, it makes life easier for everything (like apps
or services) including ldap.
From: openldap-technical [mailto:firstname.lastname@example.org] On Behalf Of
Sent: Wednesday, September 02, 2015 9:45 AM
Subject: Re: load balancer
On 09/02/2015 04:10 AM, Andrew Findlay wrote:
Depending on exactly what you want to achieve, you may not need to
a separate service at all.
Much LDAP client software allows you to specify multiple servers,
which will be tried in rotation until one answers. This gives
protection against unreachable servers.
Yup, this is probably the best/easiest way.
6 or 7 years ago, more as an experiment and proof of concept, I setup multiple
OpenLDAP servers in an OSPF anycast. So one, special, IP address could be used but it
could be any one of multiple servers that answered. The way an OSPF-anycast works is you
have an IP in a normally non-routable subnet ifconfig'd as a secondary IP on each
OpenLDAP server. Then each OpenLDAP server runs a routing daemon and does an OSPF route
announcement for the service-IP. The routing infrastructure, then, learns of a new route
to this service-IP via the various OpenLDAP servers.
Usually this is used for services you want to be geographically diverse, where you
want one IP to always route to the nearest, UP, server. The routing infrastructure takes
care of figuring out which server is the closest and sends the traffic there.
Obviously some care has to be taken in how the load-balancing is done by the routers
if they have multiple equal-cost routes to the same service-IP, and you have to have some
form of watchdog that pulls down the route if the OpenLDAP server is offline for some
reason. But in a lab environment, it worked fine for me.
Have I mentioned that just making sure your clients support and know about multiple
LDAP servers is easier? :-)