Hi! We are using OpenLDAP v2.3.19 in combination with MIT-Kerberos V1.4.3, Open SSL 9.9.7i and Cyrus-SASL 2.1.20 on Solaris 9 platform for kerberized bind on the LDAP-directory in a single sign-on environment. As our applications do frequent LDAP searches, we try to set up a high available configuration for both components with quick fail over. We are not able to use DNS in the final environment. As the standard solution (lists of kerberos and ldap server URLs) results in unacceptably high TCP-timeouts if one server is down, we are trying to use a load balancer based cluster of servers (one kerberos and one ldap instance on a physical server). As far as I know, the instance <FQDN> of the ldap service principal ldap/<FQDN>@REALM is given by the value of sasl-host in slapd.conf. To access multiple servers with the same virtual address / URL, we would have to assign the same instance on all servers of the cluster (with mapping the same hostname locally to a different IP-address on each server). However , for the replication process we need different service principles for each physical slave server as long as we do the replication with kerberized bind.
Is there a way to assign besides the principle with a common instance for all slave servers to use it for LDAP queries to the virtual address of the cluster a second principal (which we could use for replication) with an instance different on all servers? Is there an other / better way to set up a load balancer cluster for an ldap service? Thanks for considering this problem. With kind regards Friedbert Mueller *********************************************************************** Die Information in dieser email ist vertraulich und ist ausschliesslich fuer den/die benannten Adressaten bestimmt. Ein Zugriff auf diese email durch andere Personen als den/die benannten Adressaten ist nicht gestattet. Sollten Sie nicht der benannte Adressat sein, löschen Sie bitte diese email. ***********************************************************************
