Hi Beamon,! On Fri, 10 Jun 2011, Beamon, John wrote: > Has anyone engineered a design to run 389-ds servers behind a hardware load balancer like an f5 LTM? I've found this question presented before, but never answered. > > a) the openldap-clients ldap module will query the first host/uri in the list until the port goes down Not a problem here. Most load balancers (including F5s) can be set up with an active/passive config. > b) the server can run out of file descriptors or memory and stop answering queries without closing the port Assuming you can run a health check that does an LDAP query, this should be no problem. I've done this with LDAP on Foundry devices. > c) pointing clients at a virtualized name on a hardware LB will present a name conflict. The SSL cert on the directory server must match the v-name on the LB to answer queries, but it must match the local hostname for replication agreements. Not really a problem if you use Subject Alternate Names on your certificates, or wildcard certs, depending on your network architecture and other considerations. This stuff's all pretty doable -- I've been doing it here for almost a decade now. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
