Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OD master LDAP instability


On Jan 31, 2005, at 6:56 AM, Matt Richard wrote:

There is also a problem with the way OD clients pick the replica they want to use. From my experience it seems like the clients grab the information from cn=ldapreplicas,cn=config,dc=example,dc=edu which has a list of all the valid OD servers. After that the client starts using the first server in the list, which is the OD master. If the OD master is unavailable, the clients will switch to another replica.

The client sequentially queries these servers, miliseconds apart, using the first responder. Happenstance means that unless there's latency between you and the Master, you'll more often than not use the master.

Note that PasswordServer and KErebros Replicas are chosen independently- again though, the fastest responder is used. The LDAP client appears to have a hard coded 15 sec minimum timeout before other replicas are re-evaluates, but I haven't been smart enough to find it in the code.


There is also a problem with LDAP clients using cleartext (or simple) authentication. Sometimes the slapd process hangs with 100% cpu. Sometimes slapd incorrectly denies an authentication request. I'd look to see if the Redhat clients are using simple authentication or if they are able to do SASL LDAP binds for authentication. 

I should hope they were doing CRAM-MD5.


I'm sure Apple is working on these problems, but I suggest you tell Apple about them yourself, if you hope to get them fixed. I'd suggest opening a case or submitting a bug through the Developer site.

Anyone have Radars #'s. I've had good luck getting scalability issues addressed in the past. The engineer in question is among the most responsive I've worked with.

Not great.

In the absence of any better ideas, i'm adding a StartupItem that will randomly pick an ldap server, use ipfw to block the other two, restart DirectoryService, and then flush ipfw again.

I've done this server-side in the past, specifically determining which clients talk to which servers. It's not a bad idea, either way you do it.

What sort of load are others seeing on their LDAP boxes? Is it worth adding an idle timeout to slapd.conf?

The client itself has a pretty severe idle timeout, so I wouldn't worry about one server-side..

http://www.4am-media.com
Mac OS X Consulting and Training
Michael Bartosh
email@hidden
303.517.0272
Denver, CO


"The surest way to corrupt a youth is to instruct him to hold in higher
regard those who think alike than those who think differently."

- -- Nietzsche

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >OD master LDAP instability (From: Matt Jenns <email@hidden>)
 >Re: OD master LDAP instability (From: "Richard Pride" <email@hidden>)
 >Re: OD master LDAP instability (From: Matt Richard <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.