[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: load balancer cluster for kerberized ldap service
- To: <OpenLDAP-software@OpenLDAP.org>
- Subject: AW: load balancer cluster for kerberized ldap service
- From: Müller2 Friedbert <fm@iskv.de>
- Date: Fri, 3 Mar 2006 16:53:48 +0100
- Content-class: urn:content-classes:message
- Thread-index: AcY+yfSSB6cT3sUuTh638DJrzeIM1gACSQvQAAHTniA=
- Thread-topic: load balancer cluster for kerberized ldap service
Hi!
We are using OpenLDAP v2.3.19 in combination with MIT-Kerberos V1.4.3,
Open SSL 9.9.7i and Cyrus-SASL 2.1.20 on Solaris 9 platform for
kerberized bind on the LDAP-directory in a single sign-on environment.
As our applications do frequent LDAP searches, we try to set up a
high available configuration for both components with quick fail over.
We are not able to use DNS in the final environment. As the standard
solution (lists of kerberos and ldap server URLs) results in unacceptably high TCP-timeouts if one server is down, we are trying to use a load balancer
based cluster of servers (one kerberos and one ldap instance on a physical server).
As far as I know, the instance <FQDN> of the ldap service principal ldap/<FQDN>@REALM
is given by the value of sasl-host in slapd.conf. To access multiple servers with
the same virtual address / URL, we would have to assign the same instance on all servers
of the cluster (with mapping the same hostname locally to a different IP-address on each
server). However , for the replication process we need different service principles for
each physical slave server as long as we do the replication with kerberized bind.
Is there a way to assign besides the principle with a common instance for all slave servers
to use it for LDAP queries to the virtual address of the cluster a second principal
(which we could use for replication) with an instance different on all servers?
Is there an other / better way to set up a load balancer cluster for an ldap service?
Thanks for considering this problem.
With kind regards
Friedbert Mueller
***********************************************************************
Die Information in dieser email ist vertraulich und ist ausschliesslich
fuer den/die benannten Adressaten bestimmt. Ein Zugriff auf diese
email durch andere Personen als den/die benannten Adressaten ist
nicht gestattet. Sollten Sie nicht der benannte Adressat sein, löschen
Sie bitte diese email.
***********************************************************************