Re: ldap-eu-ro.apache.org timeouts

[Chris Lambertus <cm...@apache.org>]

> On Feb 23, 2018, at 1:51 PM, sebb <se...@gmail.com> wrote:
> 
>> 
>> Whimsy is in a US EC2 AZ. It should be using ldap-us-ro with eu-ro as a
>> fallback.
> 
> It uses all the defined LDAP servers in turn.



CC: dev@whimsical


In the case of Whimsy, which writes to LDAP, it could be switched over to ldap-master.a.o. IIRC it currently uses the servers in /etc/ldap/ldap.conf. Sometime in the somewhat near future (month-scale,) the -ro- servers will be switched to read-only, with ldap-master being the write master. This has the main benefit of centralizing the LDAP access logging, which can’t otherwise (easily) be replicated between multi-masters. I do intend to provide a method in puppet which sets servers known to write to LDAP (id.a.o for example) to ldap-master in /etc/ldap/ldap.conf, so you could also wait for that change.

In the case of Whimsy, switching to ldap-master has the added benefit of keeping Whimsy’s LDAP traffic local to AWS EC2, as they are currently both in the same AZ.

The LDAP ACL changes will be announced ahead of time, of course, this is just a heads up that could give you some additional performance benefits as well as future-proofing if you’re inclined to implement.

-Chris