[Date Prev][Date Next] [Chronological] [Thread] [Top]

AW: load balancer cluster for kerberized ldap service



Hi!
 
We are using OpenLDAP v2.3.19 in combination with MIT-Kerberos V1.4.3, 
Open SSL 9.9.7i and Cyrus-SASL 2.1.20 on Solaris 9 platform for 
kerberized bind on the LDAP-directory in a single sign-on environment. 
As our applications do frequent LDAP searches, we try to set up a 
high available configuration for both components with quick fail over. 
 
We are not able to use DNS in the final environment. As the standard 
solution (lists of kerberos and ldap server URLs) results in unacceptably high TCP-timeouts if  one server is down, we are trying to use a load balancer 
based cluster of servers (one kerberos and one ldap instance on a physical server).
 
As far as I know, the instance <FQDN> of the ldap service principal ldap/<FQDN>@REALM 
is given by the value of sasl-host in slapd.conf. To access multiple servers with 
the same virtual address / URL, we would have to assign the same instance on all servers 
of the cluster (with mapping the same hostname locally to a different IP-address on each 
server). However , for the replication process we need different service principles for 
each physical slave server as long as we do the replication with kerberized bind.

Is there a way to assign besides the principle with a common instance for all slave servers 
to use it for LDAP queries to the virtual address of the cluster a second principal 
(which we could use for replication) with an instance different on all servers? 
Is there an other / better way to set up a load balancer cluster for an ldap service? 

Thanks for considering this problem.

With kind regards

Friedbert Mueller





***********************************************************************

Die Information in dieser email ist vertraulich und ist ausschliesslich 
fuer den/die benannten Adressaten bestimmt. Ein Zugriff auf diese
email durch andere Personen als den/die benannten Adressaten ist
nicht gestattet. Sollten Sie nicht der benannte Adressat sein, löschen
Sie bitte diese email. 

***********************************************************************