Here are two steps to trouble shoot:
- Use below curl command to verify if the ldap connection (fail over) will work. The two ldap server addresses are also separated by space. This command will also save the total run time of this test. From the output, we can tell if this connection tried both LDAP server or not (when the first ldap server is not available).
time -p curl -v --user "ou=xxx,dc=xxx,dc=xxx" "ldap://"ldap_server_one ldap_server_two"/dc=xxxx,dc=xxxx?objectClass?one"
2. If the previous test show the connection will try to reach both ldap server when the first ldap server is not available, then there is another possibility that the connect time exceed the "authentication timeout" setting. Or in other words, the connection process can not wait till the connection switch to the second ldap server. We can check the current gpdb or postgresql "authentication timeout" setting. If the connection run time takes more than the authentication_timeout, then we can set a higher value for authentication_timeout parameter and then try again. This parameter can be effective after "gpstop -u" or "pg_ctl reload"
psql -c 'show all' |grep authentication_timeout