Hi Carlos,
As a first option I use DNS service records for which you can define
priority and weights. The -S will overwrite DNS resolution.
Regards
Markus
"Carlos Defoe" <carlosdefoe@xxxxxxxxx> wrote in message
news:CAHsHsyvs7DzJEaviiikmjQg4+-0KjoU34UEdHwnwrzET6ggrSA@xxxxxxxxxxxxxx...
Approx. 200 req/s
But, if i set up ldap servers with "-S", will they be used instead of
the servers found using DNS? If not, i think that would be a good
idea: a means of force to use (at least with higher priority) the most
reliable servers, choosen by the administrator. The problem is that
DNS, no matter the status of the ldap server, will always reply with
all the ldap server addresses.
Could you give me an example line on how to use "-S"? I couldn't
understand the syntax...
-S ldap server list
list of ldap servers of the form
lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]
Can I just put the IP address? Right now i cannot do much tests, cause
i have no testing environment. I will configure and then wait for the
next failure.
thank you
On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
<huaraz@xxxxxxxxxxxxxxxx> wrote:
Hi Carlos,
The helper must determine somehow a LDAP server and as you say there
are
several options to failover. I wonder why the CPU goes up (How many
connections/sec do you have). I don't see a magical way to avoid a
timeout
if an ldap server fails and squid caches authorisation status to make it
less of an issue.
I could also cache the ldap server status and retry after some time a
dead
ldap server, giving maybe faster responses.
Markus
"Carlos Defoe" <carlosd
efoe@xxxxxxxxx> wrote in message
news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg@xxxxxxxxxxxxxx...
Hello,
I'm having the following issue.
My network have about 15 AD domain controllers. When
ext_kerberos_ldap_group_acl is used, according to the help page, it
operates doing:
" ext_kerberos_ldap_group_acl will determine automagically the right
ldap server.
The following method is used:
1) For user <at> REALM
a) Query DNS for SRV record _ldap._tcp.REALM
b) Query DNS for A record REALM
c) Use LDAP_URL if given
2) For user
a) Use domain -D REALM and follow step 1)
b) Use LDAP_URL if given "
When a WAN link fails and, let's say, half of the AD DCs goes offline,
the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server". CPU usage goes to the top and things get ugly.
How can I avoid this? If I set some LDAP servers with "-S", and half
of them goes offline, the same behaviour will happen? If I set the two
DCs most reliable, they will be used instead of the DNS's discovery
process?
thanks,
Carlos
