[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI and LVS Load balanced ldap servers

On 2/3/09 12:37 PM, Aaron Richton wrote: 
On Tue, 3 Feb 2009, Francis Swasey wrote:

failure mode. It works with ldaps://ldap.uvm.edu and fails with ldaps://<realname>.uvm.edu. Which is "OK" for my purposes.

I'd really like to be able to have both work, but perhaps cyrus-sasl will change at some point in the future to support the kind of trickery that really happens out here in the world.

I'm not so sure I agree with this. In theory, when you're doing load balancing through a VIP, all the real servers should appear absolutely identical. You don't *want* the clients to be able to see which real they're getting. If one of them processes requests as rs1 and a different one doesn't...that's a failure of the load balancing configuration, IMO.

With that said, I'll of course note that in practice, theory and practice don't always agree. But it looks like they do in this case, and I can't see what the negative would be.

I want it to work with GSSAPI as the VIP for the users. I'd also like it to work as the real name so I could start using GSSAPI for the replication (currently using SSL protected simple authentication).



[maybeHint: Around here, the reals know who they are individually, but slapd is only configured as the VIP and the VIP name is aliased in /etc/hosts. So we can check end-to-end authentication locally on each real, and it shows up on Nagios appropriately, in the event that one of them gets confused. MOST IMPORTANTLY, this is exactly the same as the USER experience, because we're NOT monitoring "ldap://rs1/"; -- that's not what users care about!]

We have configured nagios to monitor both the real names and the VIP. If one of the real names goes away, we care and respond. If the VIP goes away, we REALLY care (cuz email and a bunch of other stuff just tanked too) and respond even if we have to abandon a shopping cart full of groceries in the checkout line...

Frank