How to troubleshoot multiple ldap servers fail over process.
search cancel

How to troubleshoot multiple ldap servers fail over process.

book

Article ID: 296922

calendar_today

Updated On: 12-19-2023

Products

VMware Tanzu Greenplum

Issue/Introduction

Some customer may prefer setting up multiple ldap server for high availability purpose. This can be done at pg_hba.conf file: (two ldap server address separated by space. With this kind of setup, when the first ldap server is not working, then the connection process will contact the second ldap server.
host  all   +"role_name"   ip_address/24 ldap ldapserver="ldap_server_one ldap_server_two" ldapport=389 ldapprefix="xxx=" ldapsuffix=",ou=xxxxx,DC=xxx,DC=xxx,DC=xxx"

But in certain situation, the connection process will not reach to the second ldap server when the first ldap server is not available.

Environment

Product Version: 6.25

Resolution

Here are two steps to trouble shoot:
  1. Use below curl command to verify if the ldap connection (fail over) will work. The two ldap server addresses are also separated by space. This command will also save the total run time of this test. From the output, we can tell if this connection tried both LDAP server or not (when the first ldap server is not available).
time -p curl -v --user "ou=xxx,dc=xxx,dc=xxx"   "ldap://"ldap_server_one ldap_server_two"/dc=xxxx,dc=xxxx?objectClass?one" 
       2. If the previous test show the connection will try to reach both ldap server when the first ldap server is not available, then there is another possibility that the connect time exceed the "authentication timeout" setting. Or in other words, the connection process can not wait till the connection switch to the second ldap server. We can check the current gpdb or postgresql "authentication timeout" setting. If the connection run time takes more than the authentication_timeout, then we can set a higher value for authentication_timeout parameter and then try again. This parameter can be effective after "gpstop -u" or "pg_ctl reload"
psql -c 'show all' |grep authentication_timeout