Hi all,
I am using Ejabberd coupled with LDAP.
I have a master/slave LDAP configuration. So of course I want to use my two LDAP servers with ejabberd to increase the availability of the service in case of a failure of one of the LDAP server.
I simply put in ejabberd.cfg the two servers in the "ldap_servers" directive :
{ldap_servers, ["server1", "server2"]}.
Unfortunately, this seems to be worse than setting only one server, as if one of the two server is unavailable, the authentication fails on Ejabberd. In fact I am decreasing the availability by 2 instead of the opposite ;)
I also tried the "ldap_backups" directive with no more success but I know this directive is for now unsupported officially.
What is the way of using reliably two LDAP servers with Ejabberd?
Thanks.
--
JSH
Re: LDAP backups configuration
I don't think there is a simple solution of your problem because in the case of {ldap_servers, ["server1", "server2"]} round-robin is used, hence if one of the servers fails then 50% of requests fails. In the case of ldap_backups there is no switch back to a normal state (from backup server to main server).
Re: LDAP backups configuration
Huum, this is really an annoying and weird behavior.
I have to choose between all requests fail (one server config) or half requests fail (two servers config).
I need to validate the fact that only half of the requests fail when one LDAP server is down.
Re: LDAP backups configuration
Huum, this is really an annoying and weird behavior.
That is a misfeature ;)
I need to validate the fact that only half of the requests fail when one LDAP server is down.
What do you mean? There is just a simple round-robin.
Re: LDAP backups configuration
What do you mean? There is just a simple round-robin.
In fact it seems to work but there seems to be an association between client => LDAP server. So when the LDAP server associated with a client fails, that client can't connect anymore.
Until a fix is available I think I will stay with just one LDAP server. The behavior seems too much unpredictable for now.
Thanks for your answers.
My 2 cent: this connection
My 2 cent: this connection client -> LDAP server is with any kind of client, not only with ejd. We had to deal with 3 LDAP servers beeing used in round robin style and we finally decided to go the load balancer way. This simplified many more things, not only the jabber login.
Isolate servers from client
The simplest solution is to place a load-balancer between client and servers and let the load balancer manager failover - isolation of the layers of your system. Alternatively, Directory Proxy Server can perform this same duty, and is LDAP sensitive.
Re: Isolate servers from client
Humm, I think we don't have the same conception of "simple" concept ;)
For me the simplest solution is that ejabberd behaves like we expect it to do. Use a pool of LDAP servers and mark server that are unreachable as invalid and poll them regularly to notice when they become reachable again. I'm sure that future releases of ejabberd will address that problem better. There is already a bug open concerning ldap_backups directive.
Nevertheless your solution is very good but I can't aford it ;)