[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple Slave LDAP Servers

You can't do this. The servers need to have ldap/<REAL HOST NAME HERE> principals.

Yeah, I tried many versions of this. I set it up just like you have it (round robin cnames) and it's working great. I found that coming in via the LVS ip address was causing slapd to... for lack of a better way of describing this... come in as ldap-test.ncsu.edu, then verify against the real hostname of the server. In which case, it said "no". I actually had all sorts of principals in the keytab. ;) host/real_hostname ldap/real_hostname ldap/ldap.ncsu.edu ldap/uni08vs.unity.ncsu.edu (the 'real hostname' if the virtual ip address) ldap/ldap-test.ncsu.edu ... it was looking quite crazy. In the end, I came back to cnames.

An interesting side note to this is, krb5 gssapi type auth works great through lvs to our LPRng servers. The thing is, LPRng lets me specify outright the kerberos principal id it should use:

My belief is, that's why LPRng works through LVS and OpenLDAP does not.

Anyway, I've switched to CNAME based load balancing and everything seems to be fine now.

On a side note, 9 slaves?? Wow. Since you have been running this longer than us (obviously), did you find soon that you needed this many? Would buying more powerful machines have made it so you didn't necessarily need that many or did you need that many regardless? Just trying to get a feel for future sizing requirements. =)


I have this all working here at stanford.

Our load balance name is: ldap.stanford.edu

The master replicates to the hostnames:


(We have 9 replica's).

Note that you can have multiple principals in a keytab file, so you can have both ldap/ldap.ncsu.edu and ldap/<HOST>.ncsu.edu in the same file. This should fix your issues, as long as you have the master replicating to the specific host names, not the load balanced host names.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

-- /\\\----------------------------------------------------------------------///\ \ \\\ Daniel Henninger http://www.vorpalcloud.org/ /// / \_\\\ North Carolina State University - Systems Programmer ///_/ \\\ Information Technology <IT> /// """--------------------------------------------------------------"""