Grouper Users - Open Discussion List

[Gagné Sébastien <>]

Thanks for the answers, here is what I got from vt-ldap's list :
https://groups.google.com/forum/?fromgroups=#!topic/vt-middleware-users/l3taOlmgYCw

I believe you need to set -Dnetworkaddress.cache.ttl=0 to get the behavior 
you want. This tells the JVM not to cache any DNS names and it may have other 
undesirable affects, depending on how much name resolution you are doing.
Here's a similar question: 
http://stackoverflow.com/questions/1256556/any-way-to-make-java-honor-the-dns-caching-timeout-ttl

You could also configure round robin in the connection handler:
edu.vt.middleware.ldap.connectionHandler="edu.vt.middleware.ldap.handler.DefaultConnectionHandler{{connectionStrategy=ROUND_ROBIN}}
or if you're using startTLS:
edu.vt.middleware.ldap.connectionHandler="edu.vt.middleware.ldap.handler.TlsConnectionHandler{{connectionStrategy=ROUND_ROBIN}}

Set the connection URL to be a space delimited string containing all hosts. 
Of course this moves the problem out of DNS and into software configuration, 
but that's a trade off you'll have to decide on.
------

I understand that DNS load distribution isn't a bullet proof way to be highly 
available, but if there's a new DNS lookup chances are (80% in that case) 
it'll return the IP of an available controller. It seems though that the 
price to pay to have that is rather high (no caching).

This article (http://java-monitor.com/forum/showthread.php?t=181) states that 
the default DNS cache is 30 seconds in Java 1.6. I believe this would be an 
appropriate value for us, retries values delay should span more than 30 
seconds, so hopefully there's going to be a new DNS request when the cache 
expires.

I'll test with the following retry values :
edu.vt.middleware.ldap.operationRetry = 5
edu.vt.middleware.ldap.operationRetryWait = 50
edu.vt.middleware.ldap.operationRetryBackoff = 65

which should give me a total wait time of 32.55 sec at the 5th retry.

Sure this won't fix everything, but it'll give us a better chance to prevent 
a failure.


Has anyone had any experience using a physical load balancer in front of LDAP 
servers ? This could be another option, probably a better one, it'll always 
be the same IP/URL and it'll detect if the controller is down or not.

Thanks


-----Message d'origine-----
De : 

 
[mailto:]
 De la part de Peter Schober
Envoyé : 10 décembre 2012 09:44
À : 

Objet : Re: [grouper-users] RE: vt-ldap with multiple domain controllers

* caleb racey 
<>
 [2012-12-10 15:04]:
> If it's the same as the ldap connector in shib (I think it is) then I 
> think you can pass in multiple  urls in the config and it tries them 
> in turn

Unless vt-ldap does something fancy with non-reachable nodes (nagative
caching?) this will happily route requests to non-working nodes. 
Even then the problem shifts to defining non-working conditions within the 
application or middleware.
@Sébastien: In other words, DNS-based load distribution has nothing to do 
with a "guarantee [for] high availability", -peter