Thanks Jim for your answer:
Jim Perrin wrote:
On 7/18/07, kfx kadafax@gmail.com wrote:
Hello, I'm trying this here first before moving to the apache list. Maybe someone of you use mod_authnz_ldap with multiple ldap servers declaration for redundancy.
I'm not certain that you can do this with multiple servers. You might consider looking at the mod_ldap connection pooling functions for better performance.
With one server declared it is working.
Here is what I've tried for adding another one (space separated as read in the apache's doc) : .... AuthLDAPURL ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTL>
You're getting this because technically your syntax is wrong. There are a couple separate parts to the AuthLDAPUrl string, one of which is a security directive which follows the url. For example, I use something like:
AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL
The ssl specifies the security for the url in addition to the 'ldaps'. It's not documented overly well in my opinion.
I agree:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html --> no indications on more than one ldap servers declaration
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html --> "host:port The name/port of the ldap server (defaults to |localhost:389| for |ldap|, and |localhost:636| for |ldaps|). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. |mod_authnz_ldap http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html| will try connecting to each server in turn, until it makes a successful connection."
That's what I'm trying to do, with no result...
How do you people achieve redundancy on LDAP based web authentication ?
Thx, kfx