Re: [squid-users] Re: Failover to second LDAP server with squid_ldap_auth

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 10 Feb 2009 19:25:08 +1300

Christoph Goeldi wrote:
> Hi Amos
>
>
> Thank you very much for your reply.
>
> > Have you tried it with a single hostname that resolves to two IPs?
>
> I already thought of this. You can do load-balancing like this,
> as some of the requests go to the first and some to the second ldap
> server, but it wouldn't help if one of the server is just not
> available. The requests to this server would just fail and the ldap
> helper would not try the other server (aka failover).
>
> > IFAIK, none of the bundled helpers are designed to do failover to
> > secondary servers like this.
>
> I'm a bit confused. Some mailing list entries indicate that the helpers
> are able to connect to two ldap servers and even in the header of the
> source file of squid_ldap_auth I saw this comment:
>
>> * 2003-03-01: David J N Begley
>> * - Support for Netscape API method of ldap over SSL
>> * connections
>> * - Timeout option for better recovery when using
>> * multiple LDAP servers
>
> But the help text of the squid helper is quite unclear and I just
> don't manage to get it to run.
>
> And if the helpers do not support failover, how do other people
> achieve redundancy?
>

I wasn't paying much attention to the LDAP side of things before this
year sorry. Haven't seen it mentioned apart from your post so far.

Amos
>
> Best Regards,
> Christoph G.
>
>
> Amos Jeffries wrote:
>> Christoph G. wrote:
>>> Hi there
>>>
>>>
>>> Can anyone help me with this one?
>>> I'm stuck and this becomes rather urgent for us.
>>>
>>> Any help would be highly appreciated.
>>>
>>
>> Have you tried it with a single hostname that resolves to two IPs?
>>
>> IFAIK, none of the bundled helpers are designed to do failover to
>> secondary servers like this.
>>
>>
>> Amos
>>
>>>
>>> Best Regards,
>>> Christoph G.
>>>
>>>
>>> Christoph G. wrote:
>>>> Dear Squid-Users
>>>>
>>>>
>>>> I tried to figure out, how to setup up my squid auth helpers
>>>> to use a second LDAP server if the first one is unreachable.
>>>>
>>>> From several postings on this mailing list I thougth that
>>>> squid_ldap_auth and squid_ldap_group which come with the
>>>> squid source are able to support this option:
>>>>
>>>> e.g.
>>>> http://www.squid-cache.org/mail-archive/squid-users/200412/0290.html
>>>>
>>>> And reading the man page also lets me believe that I can just pass
>>>> two IP addresses to make it work:
>>>>
>>>> http://linux.die.net/man/8/squid_ldap_auth
>>>> ---snip---
>>>> -h ldapserver
>>>> Specify the LDAP server to connect to. Servers (!) can also be
>>>> specified last on the command line.
>>>> ---snap---
>>>>
>>>> So I tried this on the command line:
>>>> # squid_ldap_auth -b "dc=some,dc=com" -f "sAC=%s" -D
>>>> "cn=ad,ou=Users,dc=some,dc=com" -w "***" -c 2 -t 2 -p 3268 -h
>>>> "10.0.0.1 10.0.0.2"
>>>>
>>>> This works fine if the first IP (10.0.0.1) is answering properly to my
>>>> LDAP requests but it doesn't if only the second host (10.0.0.2) is
>>>> reachable and answering LDAP requests.
>>>>
>>>> Instead I get the following error message:
>>>>> someone ***
>>>>> squid_ldap_auth: WARNING, could not bind to binddn 'Can't contact
>>>>> LDAP server'
>>>>> ERR Success
>>>>
>>>> I'm using Squid Cache: Version 2.7.STABLE4.
>>>>
>>>> What am I doing wrong?
>>>>
>>>>
>>>> Best Regards,
>>>> Christoph G.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.5
Received on Tue Feb 10 2009 - 06:25:09 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 10 2009 - 12:00:01 MST