Re: [squid-users] Re: Failover to second LDAP server with squid_ldap_auth

From: Christoph Goeldi <chg_at_open.ch>
Date: Tue, 10 Feb 2009 16:19:14 +1100

Hi Amos

Thank you very much for your reply.

> Have you tried it with a single hostname that resolves to two IPs?

I already thought of this. You can do load-balancing like this,
as some of the requests go to the first and some to the second ldap
server, but it wouldn't help if one of the server is just not
available. The requests to this server would just fail and the ldap
helper would not try the other server (aka failover).

> IFAIK, none of the bundled helpers are designed to do failover to
> secondary servers like this.

I'm a bit confused. Some mailing list entries indicate that the helpers
are able to connect to two ldap servers and even in the header of the
source file of squid_ldap_auth I saw this comment:

> * 2003-03-01: David J N Begley
> * - Support for Netscape API method of ldap over SSL
> * connections
> * - Timeout option for better recovery when using
> * multiple LDAP servers

But the help text of the squid helper is quite unclear and I just
don't manage to get it to run.

And if the helpers do not support failover, how do other people
achieve redundancy?

Best Regards,
Christoph G.

Amos Jeffries wrote:
> Christoph G. wrote:
>> Hi there
>>
>>
>> Can anyone help me with this one?
>> I'm stuck and this becomes rather urgent for us.
>>
>> Any help would be highly appreciated.
>>
>
> Have you tried it with a single hostname that resolves to two IPs?
>
> IFAIK, none of the bundled helpers are designed to do failover to
> secondary servers like this.
>
>
> Amos
>
>>
>> Best Regards,
>> Christoph G.
>>
>>
>> Christoph G. wrote:
>>> Dear Squid-Users
>>>
>>>
>>> I tried to figure out, how to setup up my squid auth helpers
>>> to use a second LDAP server if the first one is unreachable.
>>>
>>> From several postings on this mailing list I thougth that
>>> squid_ldap_auth and squid_ldap_group which come with the
>>> squid source are able to support this option:
>>>
>>> e.g.
>>> http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html
>>>
>>> And reading the man page also lets me believe that I can just pass
>>> two IP addresses to make it work:
>>>
>>> http://linux.die.net/man/8/squid_ldap_auth
>>> ---snip---
>>> -h ldapserver
>>> Specify the LDAP server to connect to. Servers (!) can also be
>>> specified last on the command line.
>>> ---snap---
>>>
>>> So I tried this on the command line:
>>> # squid_ldap_auth -b "dc=some,dc=com" -f "sAC=%s" -D
>>> "cn=ad,ou=Users,dc=some,dc=com" -w "***" -c 2 -t 2 -p 3268 -h
>>> "10.0.0.1 10.0.0.2"
>>>
>>> This works fine if the first IP (10.0.0.1) is answering properly to my
>>> LDAP requests but it doesn't if only the second host (10.0.0.2) is
>>> reachable and answering LDAP requests.
>>>
>>> Instead I get the following error message:
>>>> someone ***
>>>> squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact
>>>> LDAP server'
>>>> ERR Success
>>>
>>> I'm using Squid Cache: Version 2.7.STABLE4.
>>>
>>> What am I doing wrong?
>>>
>>>
>>> Best Regards,
>>> Christoph G.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>
>

-- 
christoph göldi
security engineer
open systems ag
räffelstrasse 29
ch-8045 zürich
t +41 44 455 74 00
f +41 44 455 74 01
chg_at_open.ch
http://www.open.ch
Received on Tue Feb 10 2009 - 05:19:24 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 10 2009 - 12:00:01 MST