Mailing List Archive: Linux Virtual Server: Users

[lvs-users] Highly available ldap

Index | Next | Previous | View Threaded

kenneth.penza at gov

Sep 6, 2007, 8:02 AM

Post #1 of 6 (656 views)
Permalink

[lvs-users] Highly available ldap

People,

I am trying to load balance two openldap servers using LVS
in CentOS 5.0, using direct routing. Did anyone managed to get this
working? Any help would be appreciated.

Kenneth Penza

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

jmack at wm7d

Sep 6, 2007, 10:43 AM

Post #2 of 6 (608 views)
Permalink

Re: [lvs-users] Highly available ldap [In reply to]

On Thu, 6 Sep 2007, Penza Kenneth at MITTS wrote:

> People,
>
>
>
> I am trying to load balance two openldap servers using LVS
> in CentOS 5.0, using direct routing. Did anyone managed to get this
> working? Any help would be appreciated.

no-one has done it. I would expect if it were useful to do
so, someone would have done it by now. I assume you've read
the appropriate section in the HOWTO. Trying the -SH
scheduler would be a better start than using persistance.

Do you understant the many-reader/single-writer problem with
LVS?

Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Tim.Mooney at ndsu

Sep 10, 2007, 12:50 PM

Post #3 of 6 (600 views)
Permalink

Re: [lvs-users] Highly available ldap [In reply to]

In regard to: Re: [lvs-users] Highly available ldap, Joseph Mack NA3T said...:

> On Thu, 6 Sep 2007, Penza Kenneth at MITTS wrote:
>
>> People,
>>
>>
>>
>> I am trying to load balance two openldap servers using LVS
>> in CentOS 5.0, using direct routing. Did anyone managed to get this
>> working? Any help would be appreciated.
>
> no-one has done it.

We've actually been load balancing OpenLDAP for years using LVS-DR.

Our clients do NOT update LDAP though -- to them it's read only.

Kenneth, what type of problems are you encountering? Our OpenLDAP servers
are currently RHEL 4, they've been RHEL3 and a custom Linux distro in the
past. Our director is currently RHEL4 as well.

Tim
--
Tim Mooney Tim.Mooney [at] ndsu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Tim.Mooney at ndsu

Sep 10, 2007, 2:03 PM

Post #4 of 6 (613 views)
Permalink

Re: [lvs-users] Highly available ldap [In reply to]

In regard to: Re: [lvs-users] Highly available ldap, Joseph Mack NA3T said...:

> On Mon, 10 Sep 2007, Tim Mooney wrote:
>
>> In regard to: Re: [lvs-users] Highly available ldap, Joseph Mack NA3T said...:
>>
>>> On Thu, 6 Sep 2007, Penza Kenneth at MITTS wrote:
>>>
>>>> People,
>>>>
>>>>
>>>>
>>>> I am trying to load balance two openldap servers using LVS
>>>> in CentOS 5.0, using direct routing. Did anyone managed to get this
>>>> working? Any help would be appreciated.
>>>
>>> no-one has done it.
>>
>> We've actually been load balancing OpenLDAP for years using LVS-DR.
>>
>> Our clients do NOT update LDAP though -- to them it's read only.
>
> ah. Important difference, but good to know it's been done.

Yeah, it is. When clients can update LDAP, balancing becomes much more
tricky.

> anything special we should know?

No, it's pretty standard. Original setup was done by someone else, but
openldap was the first service we used LVS for, before even http. We've
been using LVS-DR with OpenLDAP for at least 5 years, probably closer to
7.

> Is it only one port?

For now, yeah. Clients don't need to bind and can't retrieve anything
that's sensitive, so we're only doing ldap (no ldaps).

> what's the output of `ipvsadm` look like?

We have additional balanced services beyond LDAP, but the LDAP portion
looks like:

IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP vs2.ndsu.NoDak.edu:ldap lc
-> obscured2.NoDak.edu:ldap Route 1 16 982
-> obscured1.NoDak.edu:ldap Route 1 17 984

If you do an ldapsearch against our directory, you're getting our LVS-DR
openldap:

ldapsearch -x -LLL -h ldap.nodak.edu -b dc=ndsu,dc=nodak,dc=edu \
uid=mooney

There's another organization co-located with the IT organization here at
the university, and they've also been running LVS-DR in front of their
openldap directory for nearly as along as we have.

LDAP is a critical component of Hurderos, which we've been using since
its inception. Hence the need for a highly-available LDAP.

Tim
--
Tim Mooney Tim.Mooney [at] ndsu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

jmack at wm7d

Sep 10, 2007, 3:46 PM

Post #5 of 6 (613 views)
Permalink

Re: [lvs-users] Highly available ldap [In reply to]

On Mon, 10 Sep 2007, Tim Mooney wrote:

>>> Our clients do NOT update LDAP though -- to them it's read only.
>>
>> ah. Important difference, but good to know it's been done.
>
> Yeah, it is. When clients can update LDAP, balancing becomes much more
> tricky.

people spent years trying to figure out how to connect
through LVS to multiple Windows domain servers (with all the
peer - rather than client/server - write problems), till
someone figured out that it would work if you restricted
yourself to (ro).

>> anything special we should know?
>
> No, it's pretty standard. Original setup was done by
> someone else, but openldap was the first service we used
> LVS for, before even http. We've been using LVS-DR with
> OpenLDAP for at least 5 years, probably closer to 7.
>
>> Is it only one port?
>
> For now, yeah. Clients don't need to bind and can't
> retrieve anything that's sensitive, so we're only doing
> ldap (no ldaps).
>
>> what's the output of `ipvsadm` look like?
>
> We have additional balanced services beyond LDAP, but the
> LDAP portion looks like:
>
> IP Virtual Server version 1.2.1 (size=4096)
> Prot LocalAddress:Port Scheduler Flags
> -> RemoteAddress:Port Forward Weight ActiveConn InActConn
> TCP vs2.ndsu.NoDak.edu:ldap lc
> -> obscured2.NoDak.edu:ldap Route 1 16 982
> -> obscured1.NoDak.edu:ldap Route 1 17 984

OK

> If you do an ldapsearch against our directory, you're getting our LVS-DR
> openldap:
>
> ldapsearch -x -LLL -h ldap.nodak.edu -b dc=ndsu,dc=nodak,dc=edu \
> uid=mooney

I'm not an ldap person, but I assume that vs2.ndsu.x.x. and
ldap.x.x are the same machine?

> There's another organization co-located with the IT organization here at
> the university, and they've also been running LVS-DR in front of their
> openldap directory for nearly as along as we have.
>
> LDAP is a critical component of Hurderos, which we've been using since
> its inception. Hence the need for a highly-available LDAP.

I take it that there's no replication between ldap servers
like you can so with mysql servers?

Joe

--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Tim.Mooney at ndsu

Sep 10, 2007, 3:59 PM

Post #6 of 6 (597 views)
Permalink

Re: [lvs-users] Highly available ldap [In reply to]

In regard to: Re: [lvs-users] Highly available ldap, Joseph Mack NA3T said...:

>> If you do an ldapsearch against our directory, you're getting our LVS-DR
>> openldap:
>>
>> ldapsearch -x -LLL -h ldap.nodak.edu -b dc=ndsu,dc=nodak,dc=edu \
>> uid=mooney
>
> I'm not an ldap person, but I assume that vs2.ndsu.x.x. and
> ldap.x.x are the same machine?

Yup:

$host ldap.nodak.edu
ldap.nodak.edu is an alias for vs2.ndsu.nodak.edu.
vs2.ndsu.nodak.edu has address 134.129.111.102

>> There's another organization co-located with the IT organization here at
>> the university, and they've also been running LVS-DR in front of their
>> openldap directory for nearly as along as we have.
>>
>> LDAP is a critical component of Hurderos, which we've been using since
>> its inception. Hence the need for a highly-available LDAP.
>
> I take it that there's no replication between ldap servers
> like you can so with mysql servers?

There certainly can be, but in our case we have a master repository
(an Oracle database) that feeds adds/deletes/modifies directly to our
two back-end LDAP servers (bypassing the LVS-DR director).

The built-in replication has really matured. Once OpenLDAP 2.4 is out,
I need to revisit what's possible with it.

Tim
--
Tim Mooney Tim.Mooney [at] ndsu
Information Technology Services (701) 231-1076 (Voice)
Room 242-J6, IACC Building (701) 231-8541 (Fax)
North Dakota State University, Fargo, ND 58105-5164

_______________________________________________
LinuxVirtualServer.org mailing list - lvs-users [at] LinuxVirtualServer
Send requests to lvs-users-request [at] LinuxVirtualServer
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads