Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] RE: vt-ldap with multiple domain controllers

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] RE: vt-ldap with multiple domain controllers

Chronological Thread 
  • From: Gagné Sébastien <>
  • To: "Peter Schober" <>, <>
  • Subject: RE: [grouper-users] RE: vt-ldap with multiple domain controllers
  • Date: Wed, 12 Dec 2012 09:44:59 -0500

Thanks for your input, it's very interesting.

I checked with someone here and it doesn't seem to be a concern right now.
All the applications use the DNS name without any concern. There might be
some "DNS magic" that checks if the controllers are still up but he isn't
sure. Either way he doesn't remember a case of it failing. For the moment
we'll simply go with retries.

We do have a nice loader balancer here so it might be used in the future...

Thanks everybody

-----Message d'origine-----
De :

De la part de Peter Schober
Envoyé : 11 décembre 2012 17:55
À :

Objet : Re: [grouper-users] RE: vt-ldap with multiple domain controllers

* Gagné Sébastien
[2012-12-11 21:19]:
> I understand that DNS load distribution isn't a bullet proof way to be
> highly available, but if there's a new DNS lookup chances are (80% in
> that case) it'll return the IP of an available controller. It seems
> though that the price to pay to have that is rather high (no caching).

There's the other aspect of the problem: Once a node is down also new
connections will be continued to be routed to it. How do stop that from
happending? Putting all LDAP servers in a seperate DNS zone and have a really
really low TTL on that? But then some clients (not your properly configured
JVM + vt-ldap + Grouper, but still) will cache and continue to talk to the
"known bad" node. Quite a mess.

> Has anyone had any experience using a physical load balancer in front
> of LDAP servers ? This could be another option, probably a better one,
> it'll always be the same IP/URL and it'll detect if the controller is
> down or not.

Yes. Expensive and worth it, esp. for an enterprise directory.
A real loadbalancer usually has its own checking configuration (or DSL or
embedded programming language) which e.g. could excercise an API or what have
you and simply remove failing nodes without any changes to clients, DNS, etc.
which you usually don't fully control.
Much easier to handle failure modes, more flexible (take nodes in and out of
service in seconds), can do more elaborate variants of load distribution
(least connection routing, etc.), and so on.
So if cou can afford it, it's no question/comparison really.

Archive powered by MHonArc 2.6.16.

Top of Page