Ok. Apparently, "-S 192.168.1.10:192.168.1.11:192.168.1.12" works. We went through another WAN link failure, and the proxys had no problems. On Mon, Aug 12, 2013 at 3:29 PM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote: > Hi Carlos, > > As a first option I use DNS service records for which you can define > priority and weights. The -S will overwrite DNS resolution. > > Regards > Markus > > "Carlos Defoe" <carlosdefoe@xxxxxxxxx> wrote in message > news:CAHsHsyvs7DzJEaviiikmjQg4+-0KjoU34UEdHwnwrzET6ggrSA@xxxxxxxxxxxxxx... > >> Approx. 200 req/s >> >> But, if i set up ldap servers with "-S", will they be used instead of >> the servers found using DNS? If not, i think that would be a good >> idea: a means of force to use (at least with higher priority) the most >> reliable servers, choosen by the administrator. The problem is that >> DNS, no matter the status of the ldap server, will always reply with >> all the ldap server addresses. >> >> Could you give me an example line on how to use "-S"? I couldn't >> understand the syntax... >> >> -S ldap server list >> list of ldap servers of the form >> lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm] >> >> Can I just put the IP address? Right now i cannot do much tests, cause >> i have no testing environment. I will configure and then wait for the >> next failure. >> >> thank you >> >> >> >> >> On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller >> <huaraz@xxxxxxxxxxxxxxxx> wrote: >>> >>> Hi Carlos, >>> >>> The helper must determine somehow a LDAP server and as you say there >>> are >>> several options to failover. I wonder why the CPU goes up (How many >>> connections/sec do you have). I don't see a magical way to avoid a >>> timeout >>> if an ldap server fails and squid caches authorisation status to make it >>> less of an issue. >>> >>> I could also cache the ldap server status and retry after some time a >>> dead >>> ldap server, giving maybe faster responses. >>> >>> Markus >>> >>> "Carlos Defoe" <carlosd >>> efoe@xxxxxxxxx> wrote in message >>> >>> news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg@xxxxxxxxxxxxxx... >>> >>>> Hello, >>>> >>>> I'm having the following issue. >>>> >>>> My network have about 15 AD domain controllers. When >>>> ext_kerberos_ldap_group_acl is used, according to the help page, it >>>> operates doing: >>>> " ext_kerberos_ldap_group_acl will determine automagically the right >>>> ldap server. >>>> The following method is used: >>>> >>>> 1) For user <at> REALM >>>> a) Query DNS for SRV record _ldap._tcp.REALM >>>> b) Query DNS for A record REALM >>>> c) Use LDAP_URL if given >>>> >>>> 2) For user >>>> a) Use domain -D REALM and follow step 1) >>>> b) Use LDAP_URL if given " >>>> >>>> When a WAN link fails and, let's say, half of the AD DCs goes offline, >>>> the helper gives me a lot of errors like "kerberos_ldap_group: ERROR: >>>> Error while binding to ldap server with SASL/GSSAPI: Can't contact >>>> LDAP server". CPU usage goes to the top and things get ugly. >>>> >>>> How can I avoid this? If I set some LDAP servers with "-S", and half >>>> of them goes offline, the same behaviour will happen? If I set the two >>>> DCs most reliable, they will be used instead of the DNS's discovery >>>> process? >>>> >>>> thanks, >>>> >>>> Carlos >>>> >>> >>> >> > >