Search squid archive

Re: Re: Re: ext_kerberos_ldap_group_acl AD servers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Ok. Apparently, "-S 192.168.1.10:192.168.1.11:192.168.1.12" works.
We went through another WAN link failure, and the proxys had no problems.



On Mon, Aug 12, 2013 at 3:29 PM, Markus Moeller <huaraz@xxxxxxxxxxxxxxxx> wrote:
> Hi Carlos,
>
>    As a first option I use DNS service records for which you can define
> priority and weights. The -S will overwrite DNS resolution.
>
> Regards
> Markus
>
> "Carlos Defoe" <carlosdefoe@xxxxxxxxx> wrote in message
> news:CAHsHsyvs7DzJEaviiikmjQg4+-0KjoU34UEdHwnwrzET6ggrSA@xxxxxxxxxxxxxx...
>
>> Approx. 200 req/s
>>
>> But, if i set up ldap servers with "-S", will they be used instead of
>> the servers found using DNS? If not, i think that would be a good
>> idea: a means of force to use (at least with higher priority) the most
>> reliable servers, choosen by the administrator. The problem is that
>> DNS, no matter the status of the ldap server, will always reply with
>> all the ldap server addresses.
>>
>> Could you give me an example line on how to use "-S"? I couldn't
>> understand the syntax...
>>
>> -S ldap server list
>> list of ldap servers of the form
>> lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]
>>
>> Can I just put the IP address? Right now i cannot do much tests, cause
>> i have no testing environment. I will configure and then wait for the
>> next failure.
>>
>> thank you
>>
>>
>>
>>
>> On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
>> <huaraz@xxxxxxxxxxxxxxxx> wrote:
>>>
>>> Hi Carlos,
>>>
>>>    The helper must determine somehow a LDAP server and as you say there
>>> are
>>> several options to failover.  I wonder why the CPU goes up (How many
>>> connections/sec do you have). I don't see a magical way to avoid a
>>> timeout
>>> if an ldap server fails and squid caches authorisation status to make it
>>> less of an issue.
>>>
>>>   I could also cache the ldap server status and retry after some time a
>>> dead
>>> ldap server, giving maybe faster responses.
>>>
>>> Markus
>>>
>>> "Carlos Defoe" <carlosd
>>> efoe@xxxxxxxxx> wrote in message
>>>
>>> news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg@xxxxxxxxxxxxxx...
>>>
>>>> Hello,
>>>>
>>>> I'm having the following issue.
>>>>
>>>> My network have about 15 AD domain controllers. When
>>>> ext_kerberos_ldap_group_acl is used, according to the help page, it
>>>> operates doing:
>>>> " ext_kerberos_ldap_group_acl will determine automagically the right
>>>> ldap server.
>>>> The following method is used:
>>>>
>>>>       1) For user <at> REALM
>>>>          a) Query DNS for SRV record _ldap._tcp.REALM
>>>>          b) Query DNS for A record REALM
>>>>          c) Use LDAP_URL if given
>>>>
>>>>       2) For user
>>>>          a) Use domain -D REALM and follow step 1)
>>>>          b) Use LDAP_URL if given "
>>>>
>>>> When a WAN link fails and, let's say, half of the AD DCs goes offline,
>>>> the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
>>>> Error while binding to ldap server with SASL/GSSAPI: Can't contact
>>>> LDAP server". CPU usage goes to the top and things get ugly.
>>>>
>>>> How can I avoid this? If I set some LDAP servers with "-S", and half
>>>> of them goes offline, the same behaviour will happen? If I set the two
>>>> DCs most reliable, they will be used instead of the DNS's discovery
>>>> process?
>>>>
>>>> thanks,
>>>>
>>>> Carlos
>>>>
>>>
>>>
>>
>
>



[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux