[users@httpd] Multiple LDAP servers in mod_auth_ldap

[Steve Nisbet <s....@mmu.ac.uk>]

Hi folks,
I have been using mod_auth_ldap in Apache 2.0 for some time, and apart from
falling over every now and then it functions fine. However, we have a number of
LDAP servers and I wanted a bit of resillience for authentication.

I noted that in the manual for mod_auth_ldap it is suggested that a number of
hosts can be specified, separated by spaces.
Heres the quote from the manual,

host:port

    The name/port of the ldap server (defaults to localhost:389 for ldap, and
localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list
all servers, separated by spaces. mod_auth_ldap will try connecting to each
server in turn, until it makes a successful connection.


My problem is that this is very vague, I have spent some time trying all sorts
of cominations of the server URL to no avail.

Anybody got a working example of multi-host LDAP?


thanks in advance

Steve Nisbet


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Multiple LDAP servers in mod_auth_ldap

["Mark H. Wood" <mw...@IUPUI.Edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Like so:

    AuthLDAPURL \
      "ldaps://IU-MSSG-ADSDC01.ADS.IU.Edu IU-MSSG-ADSDC02.ADS.IU.Edu IU-MSSG-ADSDC03.ADS.IU.Edu IU-MSSG-ADSDC04.ADS.IU.Edu IU-MSSG-ADSDC05.ADS.IU.Edu IU-MSSG-ADSDC06.ADS.IU.Edu/ou=Accounts,DC=ads,DC=iu,DC=edu?CN?one"

That is:  the space-separated list of hostnames goes inbetween the // and
the /, but otherwise the URL looks normal.

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFEGBkfs/NR4JuTKG8RAi18AJ9bjbpoeWsBjq+FQCE5zHy0lM73sQCdHvZ2
lxD+VM96EIFSpkdP+abWszQ=
=TfvB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Multiple LDAP servers in mod_auth_ldap

[Ricardo Stella <st...@rider.edu>]

Apache 2.0 doesn't work quite well for this as when it's linked with
openldap, it does not provide a 'timeout' option, therefore if one of
the ldap servers is down, it'll take forever to switch to the next one.

The netscape libs have that ability but it didn't quite work and require
another small patch.

Also, on 2.0.54 the code was locked to only complile with openldap
regardless...  There's a bug reported, but I believe this part was fixed
in 2.0.55.  The netscape libs ability to provide timeout values was not.

Now, 2.2.0 does work in the way it should straight out of the box which
is good.

Another option I've been toying with is a small load balancer such as pen.

Oh, and there were issues with not properly escaping spaces, if your
basedn included them (like in X500 format).

Since you will need to recompile regardless, I'd say you give 2.2.0 a try...

My .02...

Steve Nisbet wrote:
> Hi folks,
> I have been using mod_auth_ldap in Apache 2.0 for some time, and apart from
> falling over every now and then it functions fine. However, we have a number of
> LDAP servers and I wanted a bit of resillience for authentication.
>
> I noted that in the manual for mod_auth_ldap it is suggested that a number of
> hosts can be specified, separated by spaces.
> Heres the quote from the manual,
>
> host:port
>
>     The name/port of the ldap server (defaults to localhost:389 for ldap, and
> localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list
> all servers, separated by spaces. mod_auth_ldap will try connecting to each
> server in turn, until it makes a successful connection.
>
>
> My problem is that this is very vague, I have spent some time trying all sorts
> of cominations of the server URL to no avail.
>
> Anybody got a working example of multi-host LDAP?
>
>
> thanks in advance
>
> Steve Nisbet
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>   

-- 

°(((=((===°°°(((===========================================