Often times client software doesn't support more than one ldap node. A VIP using the same cert as the nodes simplifies things (e.g.: cert name ldapvip with altnames ldap01, ldap02, and ldapvip itself jic). We use ldap pairs (slaves) in all our environments behind VIPs with the active-spare multi-master pair also behind a VIP (which is where the slave nodes connect). This has worked well for us; if the VIP is down then much larger issues are at play, and offers us a lot of flexibility during maintenance let alone being more immune to system issues.
TL;DR: get a good load balancing solution, it makes life easier for everything (like apps or services) including ldap. - chris -----Original Message----- From: openldap-technical [mailto:[email protected]] On Behalf Of Brent Bice Sent: Wednesday, September 02, 2015 9:45 AM To: [email protected] Subject: Re: load balancer On 09/02/2015 04:10 AM, Andrew Findlay wrote: > Depending on exactly what you want to achieve, you may not need to run > a separate service at all. > > Much LDAP client software allows you to specify multiple servers, > which will be tried in rotation until one answers. This gives > protection against unreachable servers. Yup, this is probably the best/easiest way. 6 or 7 years ago, more as an experiment and proof of concept, I setup multiple OpenLDAP servers in an OSPF anycast. So one, special, IP address could be used but it could be any one of multiple servers that answered. The way an OSPF-anycast works is you have an IP in a normally non-routable subnet ifconfig'd as a secondary IP on each OpenLDAP server. Then each OpenLDAP server runs a routing daemon and does an OSPF route announcement for the service-IP. The routing infrastructure, then, learns of a new route to this service-IP via the various OpenLDAP servers. Usually this is used for services you want to be geographically diverse, where you want one IP to always route to the nearest, UP, server. The routing infrastructure takes care of figuring out which server is the closest and sends the traffic there. Obviously some care has to be taken in how the load-balancing is done by the routers if they have multiple equal-cost routes to the same service-IP, and you have to have some form of watchdog that pulls down the route if the OpenLDAP server is offline for some reason. But in a lab environment, it worked fine for me. Have I mentioned that just making sure your clients support and know about multiple LDAP servers is easier? :-) Brent
