Approx. 200 req/s
But, if i set up ldap servers with "-S", will they be used instead of
the servers found using DNS? If not, i think that would be a good
idea: a means of force to use (at least with higher priority) the most
reliable servers, choosen by the administrator. The problem is that
DNS, no matter the status of the ldap server, will always reply with
all the ldap server addresses.
Could you give me an example line on how to use "-S"? I couldn't
understand the syntax...
-S ldap server list
list of ldap servers of the form
lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]
Can I just put the IP address? Right now i cannot do much tests, cause
i have no testing environment. I will configure and then wait for the
next failure.
thank you
On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
<huaraz_at_moeller.plus.com> wrote:
> Hi Carlos,
>
> The helper must determine somehow a LDAP server and as you say there are
> several options to failover. I wonder why the CPU goes up (How many
> connections/sec do you have). I don't see a magical way to avoid a timeout
> if an ldap server fails and squid caches authorisation status to make it
> less of an issue.
>
> I could also cache the ldap server status and retry after some time a dead
> ldap server, giving maybe faster responses.
>
> Markus
>
> "Carlos Defoe" <carlosd
> efoe_at_gmail.com> wrote in message
> news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg_at_mail.gmail.com...
>
>> Hello,
>>
>> I'm having the following issue.
>>
>> My network have about 15 AD domain controllers. When
>> ext_kerberos_ldap_group_acl is used, according to the help page, it
>> operates doing:
>> " ext_kerberos_ldap_group_acl will determine automagically the right
>> ldap server.
>> The following method is used:
>>
>> 1) For user <at> REALM
>> a) Query DNS for SRV record _ldap._tcp.REALM
>> b) Query DNS for A record REALM
>> c) Use LDAP_URL if given
>>
>> 2) For user
>> a) Use domain -D REALM and follow step 1)
>> b) Use LDAP_URL if given "
>>
>> When a WAN link fails and, let's say, half of the AD DCs goes offline,
>> the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
>> Error while binding to ldap server with SASL/GSSAPI: Can't contact
>> LDAP server". CPU usage goes to the top and things get ugly.
>>
>> How can I avoid this? If I set some LDAP servers with "-S", and half
>> of them goes offline, the same behaviour will happen? If I set the two
>> DCs most reliable, they will be used instead of the DNS's discovery
>> process?
>>
>> thanks,
>>
>> Carlos
>>
>
>
Received on Mon Aug 12 2013 - 16:23:23 MDT
This archive was generated by hypermail 2.2.0 : Tue Aug 13 2013 - 12:00:23 MDT