Re: [squid-users] Re: Re: ext_kerberos_ldap_group_acl AD servers

From: Carlos Defoe <carlosdefoe_at_gmail.com>
Date: Tue, 13 Aug 2013 21:39:08 -0300

Ok. Apparently, "-S 192.168.1.10:192.168.1.11:192.168.1.12" works.
We went through another WAN link failure, and the proxys had no problems.

On Mon, Aug 12, 2013 at 3:29 PM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
> Hi Carlos,
>
> As a first option I use DNS service records for which you can define
> priority and weights. The -S will overwrite DNS resolution.
>
> Regards
> Markus
>
> "Carlos Defoe" <carlosdefoe_at_gmail.com> wrote in message
> news:CAHsHsyvs7DzJEaviiikmjQg4+-0KjoU34UEdHwnwrzET6ggrSA_at_mail.gmail.com...
>
>> Approx. 200 req/s
>>
>> But, if i set up ldap servers with "-S", will they be used instead of
>> the servers found using DNS? If not, i think that would be a good
>> idea: a means of force to use (at least with higher priority) the most
>> reliable servers, choosen by the administrator. The problem is that
>> DNS, no matter the status of the ldap server, will always reply with
>> all the ldap server addresses.
>>
>> Could you give me an example line on how to use "-S"? I couldn't
>> understand the syntax...
>>
>> -S ldap server list
>> list of ldap servers of the form
>> lserver|lserver@|lserver_at_Realm[:lserver@|lserver_at_Realm]
>>
>> Can I just put the IP address? Right now i cannot do much tests, cause
>> i have no testing environment. I will configure and then wait for the
>> next failure.
>>
>> thank you
>>
>>
>>
>>
>> On Sat, Aug 10, 2013 at 10:10 AM, Markus Moeller
>> <huaraz_at_moeller.plus.com> wrote:
>>>
>>> Hi Carlos,
>>>
>>> The helper must determine somehow a LDAP server and as you say there
>>> are
>>> several options to failover. I wonder why the CPU goes up (How many
>>> connections/sec do you have). I don't see a magical way to avoid a
>>> timeout
>>> if an ldap server fails and squid caches authorisation status to make it
>>> less of an issue.
>>>
>>> I could also cache the ldap server status and retry after some time a
>>> dead
>>> ldap server, giving maybe faster responses.
>>>
>>> Markus
>>>
>>> "Carlos Defoe" <carlosd
>>> efoe_at_gmail.com> wrote in message
>>>
>>> news:CAHsHsyuJjNypq+hfgiwdd_z8PsMOAdp7wRs73LM1M-RkzTXZSg_at_mail.gmail.com...
>>>
>>>> Hello,
>>>>
>>>> I'm having the following issue.
>>>>
>>>> My network have about 15 AD domain controllers. When
>>>> ext_kerberos_ldap_group_acl is used, according to the help page, it
>>>> operates doing:
>>>> " ext_kerberos_ldap_group_acl will determine automagically the right
>>>> ldap server.
>>>> The following method is used:
>>>>
>>>> 1) For user <at> REALM
>>>> a) Query DNS for SRV record _ldap._tcp.REALM
>>>> b) Query DNS for A record REALM
>>>> c) Use LDAP_URL if given
>>>>
>>>> 2) For user
>>>> a) Use domain -D REALM and follow step 1)
>>>> b) Use LDAP_URL if given "
>>>>
>>>> When a WAN link fails and, let's say, half of the AD DCs goes offline,
>>>> the helper gives me a lot of errors like "kerberos_ldap_group: ERROR:
>>>> Error while binding to ldap server with SASL/GSSAPI: Can't contact
>>>> LDAP server". CPU usage goes to the top and things get ugly.
>>>>
>>>> How can I avoid this? If I set some LDAP servers with "-S", and half
>>>> of them goes offline, the same behaviour will happen? If I set the two
>>>> DCs most reliable, they will be used instead of the DNS's discovery
>>>> process?
>>>>
>>>> thanks,
>>>>
>>>> Carlos
>>>>
>>>
>>>
>>
>
>
Received on Wed Aug 14 2013 - 00:39:15 MDT

This archive was generated by hypermail 2.2.0 : Wed Aug 14 2013 - 12:00:07 MDT