[squid-users] ext_kerberos_ldap_group_acl AD servers

From: Carlos Defoe <carlosdefoe_at_gmail.com>
Date: Thu, 8 Aug 2013 18:03:17 -0300

Hello,

I'm having the following issue.

My network have about 15 AD domain controllers. When
ext_kerberos_ldap_group_acl is used, according to the help page, it
operates doing:
" ext_kerberos_ldap_group_acl will determine automagically the right
ldap server.
The following method is used:

       1) For user <at> REALM
          a) Query DNS for SRV record _ldap._tcp.REALM
          b) Query DNS for A record REALM
          c) Use LDAP_URL if given

       2) For user
          a) Use domain -D REALM and follow step 1)
          b) Use LDAP_URL if given "

When a WAN link fails and, let's say, half of the AD DCs goes offline,
the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
Error while binding to ldap server with SASL/GSSAPI: Can't contact
LDAP server". CPU usage goes to the top and things get ugly.

How can I avoid this? If I set some LDAP servers with "-S", and half
of them goes offline, the same behaviour will happen? If I set the two
DCs most reliable, they will be used instead of the DNS's discovery
process?

thanks,

Carlos
Received on Thu Aug 08 2013 - 21:03:25 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 10 2013 - 12:00:08 MDT