Re: failover config: servers with same DNS address and TLS, subjectAltName extension

[manu@netbsd.org (Emmanuel Dreyfus)]

Norman Gaywood <ngaywood@une.edu.au> wrote:

> > The DNS contains this records:
> > srv1        IN      A       192.0.2.4
> > srv2        IN      A       192.0.2.5
> > ldap    1 IN    A       192.0.2.4
> > ldap    1 IN    A       192.0.2.5
> 
> As the text says, this is multiple LDAP servers answering on the same
> DNS address. Where is the "fail-over" part? Is that assumed to be
> configured somewhere else?

On the client, you have this in ldap.conf
URI     ldaps://ldap.example.net:636
 
The client will spread its requests on srv1 and srv2. If one is down,
then it will try the next one until one works.

The worst case is if one of {srv1, srv2} accept the connexion but take
forever to answer (a situation you can have in some kernel crashes, on
heavy loads, or if you simulated it by sending a kill -STOP to slapd).
In that situation the client connects and will timeout. The timeout
setting is left to the application. pam_ldap has bind_timelimit, for
instance. OpenLDAP command-line tools (ldapsearch and friends) are stick
with a hardcoded timeout that cannot be user-configured without
rebuilding the sources.

> No doubt this question is outside the scope of this list, but it would
> be useful to have this clarified if this thread lives on to be a HOWTO.

IMO, it's not outside the scope of the list. The list is about using
OpenLDAP for doing things with it, right?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org