[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: failover timeout.

To: suomi hasler <schlubediwup@ayni.com>
Subject: Re: failover timeout.
From: "Medievalist" <ldap@HBCS.Org>
Date: Wed, 01 Oct 2003 17:04:42 -0500
Cc: openldap-software@OpenLDAP.org
Content-description: Mail message body
In-reply-to: <3F7B04FF.2060407@ayni.com>
References: <200310011546.56819.pierre-yves.verdon@wanadooportails.com>

Suomi, it's not as straightforward as that.

BIND used to return an ordered list of addresses for any host with multiple 
address records.  The ordering tried to put the most appropriate address first, 
based on the requestor's address.  This was determined to be undesirable and 
non-RFC compliant behaviour because it is the responsibility of the client to 
reorder addresses returned from a query; the server has insufficient 
information about the client to make this decision (for example, it doesn't 
know if the client is multihomed).

Client DNS resolvers used to discard all but the first record returned from a 
DNS query, making an implicit assumption that "the first was the best".

Nowadays, some versions of BIND do round-robin their ordering.  Some people in 
the ISC want to implement a more random order, though, so this is not a 
reliable path for the future; the rr-directives and ordering algorithms have 
been changing quite a lot.  More importantly, the DNS clients in most operating 
systems (including linux and windows) are evolving, and some are already able 
to work with multiple addresses being returned by DNS servers.  Some clients 
(such as Win2K) will cache portions of their name service returns locally!

Like many DNS administrators, I've always implemented a server-side sortlist 
that mimics the behaviour of BIND 4.9 for multi-homed hosts whenever I've set 
up a BIND 8 or BIND 9 server.  This prevents Windows desktops from consuming 
excessive bandwidth through subnetwork routing nodes, and multi-homed hosts 
will probably reorder the list anyway.

You might also find these notes interesting:

http://www.webperformance.org/dns-issue.html

If you want LDAP server failover beyond what OpenLDAP itself provides, I 
recommend linux-ha instead of round-robin DNS.  It's got a brighter, more 
predictable future.

--Charlie

On 1 Oct 2003 at 18:46, suomi hasler wrote:

hi Pierre-Yves,
i have had the same "problem" i.e. pam-ldap on two replicated (via 
slurpd) servers:
i created a "virtual" host in the dns containing both IP addresses of 
the two ldap servers.  with the new dns protocols you will have a 
DNS-round-robin for the two ldap servers.
then a shut one down ldap-serve  and the pam-ldap service just continued 
from the other part of this virtual dns host.
it may depend on which version of bind you have on your dns for the 
DNS-round-robin to take effect. I have version 9.1.x installed.  so be 
warned, test the behaviour before making it active.

suomi

pierre-yves.verdon wrote:
>
>i'm planning to install a slave with my master ldap server. They are used for 
>authentication purpose.
>The ldap.conf on a client will include the master and the slave server.
>If the master is down, how many time did the client wait before asking the 
>slave server? where could i change this timeout?
>

Follow-Ups:
- Re: failover timeout.
  - From: "pierre-yves.verdon" <pierre-yves.verdon@wanadooportails.com>

References:
- failover timeout.
  - From: "pierre-yves.verdon" <pierre-yves.verdon@wanadooportails.com>
- Re: failover timeout.
  - From: suomi hasler <schlubediwup@ayni.com>

Prev by Date: MySQL authenticating against LDAP
Next by Date: slapadd and comments
Index(es):
- Chronological
- Thread