manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Active directory servers and failure cases
Date Mon, 12 Oct 2015 12:18:04 GMT
"Does the error message make any sense?"

Hmm, no, it doesn't.  But if I drop the error message into Google, I do get
this:

https://social.technet.microsoft.com/Forums/windows/en-US/ebff2363-5685-44a6-a22b-5fa6785d86c9/ldapsearch-example-with-sasl-bind

I don't know if that's helpful or not...  But if you can figure out what
exactly we're doing wrong with the LDAP connection, I can maybe make the
needed changes to get it working with your system?

I wish I could be of more help, but I'm definitely not an AD expert.

Karl


On Mon, Oct 12, 2015 at 8:09 AM, Adrian Conlon <Adrian.Conlon@arup.com>
wrote:

> Hi Karl,
>
>
>
> That’s interesting.
>
>
>
> I just tried what you suggested and it seems that things are **almost**,
> but not quite set up to work in that way in the company I work for.
>
>
>
> So, the domain is “global.arup.com” and when I ping “global.arup.com”,
> the IP address I get back is the same as one of the AD servers I spoke
> about in the initial email. That would imply that some kind of load
> balancing is taking place around the AD servers.
>
>
>
> However, when I try to use “global.arup.com” as an AD server, I get the
> following connection status:
>
>
>
> *Threw exception: 'Authentication problem authenticating admin user
> 'stgserver': [LDAP: error code 49 - 80090303: LdapErr: DSID-0C0904BD,
> comment: The digest-uri does not match any LDAP SPN's registered for this
> server., data 0, v1db1&#0;]'*
>
>
>
> If I use the name of the server pointed to by “global.arup.com” (in this
> instance, “globalad5”), then the connection status becomes “connection
> working”.
>
>
>
> Does the error message make any sense?
>
>
>
> Adrian
>
>
>
> *From:* Karl Wright [mailto:daddywri@gmail.com]
> *Sent:* 12 October 2015 12:48
> *To:* user@manifoldcf.apache.org
> *Subject:* Re: Active directory servers and failure cases
>
>
>
> Hi Adrian,
>
>
>
> In some installations I've seen evidence that AD itself can be configured
> to do "load balancing" of the kind you describe.  In such installations, if
> you access the domain controller through DNS, e.g. "thedomain.com", you
> reach one of a number of different machines, automatically.
>
>
>
> The exact place I've seen this is in the context of a large network that
> was being crawled using JCIFS, which had multiple domain-based DFS roots.
> Resolving each such root required a back-and-forth with a domain
> controller, of which we eventually realized there were more than one.  (And
> at least one of them was out of synch, which caused us no end of trouble.)
>
>
>
> MCF doesn't try to recreate that kind of load balancing, since it would
> appear to be a duplication of effort, but it's possible that our current AD
> authority doesn't play well in such an environment.  If that's the case, we
> should fix it, rather than create our own idea of a load balancer.
>
>
>
> Thanks,
>
> Karl
>
>
>
>
>
> On Mon, Oct 12, 2015 at 7:39 AM, Adrian Conlon <Adrian.Conlon@arup.com>
> wrote:
>
> Hi List,
>
>
>
> We’ve got a problem with Active Directory failure resiliency, and I wonder
> if anyone has any good ideas.
>
>
>
> We’ve got a number of active directory servers available that are (as I
> understand it) mirrors of each other.  Every now and then these servers go
> wrong (or certainly stops responding).
>
>
>
> At the moment, I’ve configured an Authority Group, with a single Authority
> Connection, that uses a single Domain Controller.
>
>
>
> What I’d like to be able to do is associated multiple domain controllers
> with a single authority connection, such that the connection spreads the
> load across all of the available domain controllers and tries the next
> available controller if one stops responding.
>
>
>
> Does that sound possible?  Indeed, is it a good idea?  Or have I missed
> something in the currently available ManifoldCF configuration that would
> allow this already?
>
>
>
> Thanks,
>
>
>
> Adrian
>
> ____________________________________________________________
> Electronic mail messages entering and leaving Arup  business
> systems are scanned for acceptability of content and viruses
>
>
>

Mime
View raw message