[squid-users] Re: Re: ext_kerberos_ldap_group_acl AD servers

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Mon, 12 Aug 2013 19:29:49 +0100

Hi Carlos,

    As a first option I use DNS service records for which you can define
priority and weights. The -S will overwrite DNS resolution.

Regards
Markus

"Carlos Defoe" <carlosdefoe_at_gmail.com> wrote in message
news:CAHsHsyvs7DzJEaviiikmjQg4+-0KjoU34UEdHwnwrzET6ggrSA_at_mail.gmail.com...
> Approx. 200 req/s
>
> But, if i set up ldap servers with "-S", will they be used instead of
> the servers found using DNS? If not, i think that would be a good
> idea: a means of force to use (at least with higher priority) the most
> reliable servers, choosen by the administrator. The problem is that
> DNS, no matter the status of the ldap server, will always reply with
> all the ldap server addresses.
>
> Could you give me an example line on how to use "-S"? I couldn't
> understand the syntax...
>
> -S ldap server list
> list of ldap servers of the form
> lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]
>
> Can I just put the IP address? Right now i cannot do much tests, cause
> i have no testing environment. I will configure and then wait for the
> next failure.
>
> thank you
>
>
>
>
> On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
> <huaraz_at_moeller.plus.com> wrote:
>> Hi Carlos,
>>
>> The helper must determine somehow a LDAP server and as you say there
>> are
>> several options to failover. I wonder why the CPU goes up (How many
>> connections/sec do you have). I don't see a magical way to avoid a
>> timeout
>> if an ldap server fails and squid caches authorisation status to make it
>> less of an issue.
>>
>> I could also cache the ldap server status and retry after some time a
>> dead
>> ldap server, giving maybe faster responses.
>>
>> Markus
>>
>> "Carlos Defoe" <carlosd
>> efoe_at_gmail.com> wrote in message
>> news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg_at_mail.gmail.com...
>>
>>> Hello,
>>>
>>> I'm having the following issue.
>>>
>>> My network have about 15 AD domain controllers. When
>>> ext_kerberos_ldap_group_acl is used, according to the help page, it
>>> operates doing:
>>> " ext_kerberos_ldap_group_acl will determine automagically the right
>>> ldap server.
>>> The following method is used:
>>>
>>> 1) For user <at> REALM
>>> a) Query DNS for SRV record _ldap._tcp.REALM
>>> b) Query DNS for A record REALM
>>> c) Use LDAP_URL if given
>>>
>>> 2) For user
>>> a) Use domain -D REALM and follow step 1)
>>> b) Use LDAP_URL if given "
>>>
>>> When a WAN link fails and, let's say, half of the AD DCs goes offline,
>>> the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
>>> Error while binding to ldap server with SASL/GSSAPI: Can't contact
>>> LDAP server". CPU usage goes to the top and things get ugly.
>>>
>>> How can I avoid this? If I set some LDAP servers with "-S", and half
>>> of them goes offline, the same behaviour will happen? If I set the two
>>> DCs most reliable, they will be used instead of the DNS's discovery
>>> process?
>>>
>>> thanks,
>>>
>>> Carlos
>>>
>>
>>
>
Received on Mon Aug 12 2013 - 18:30:15 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 14 2013 - 12:00:07 MDT