Hello, I'm trying this here first before moving to the apache list. Maybe someone of you use mod_authnz_ldap with multiple ldap servers declaration for redundancy. With one server declared it is working.
Here is what I've tried for adding another one (space separated as read in the apache's doc) : .... AuthLDAPURL ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ....
Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS
Second test with quotes (as seen with some googling): .... AuthLDAPURL "ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)" ....
Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Bad URL encountered while parsing LDAP URL.
I've also tried to quote each ldap's declaration. No go.
Can someone show me the clean way to achieve this ?
Thanks, kfx.
On 7/18/07, kfx kadafax@gmail.com wrote:
Hello, I'm trying this here first before moving to the apache list. Maybe someone of you use mod_authnz_ldap with multiple ldap servers declaration for redundancy.
I'm not certain that you can do this with multiple servers. You might consider looking at the mod_ldap connection pooling functions for better performance.
With one server declared it is working.
Here is what I've tried for adding another one (space separated as read in the apache's doc) : .... AuthLDAPURL ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo) ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTL>
You're getting this because technically your syntax is wrong. There are a couple separate parts to the AuthLDAPUrl string, one of which is a security directive which follows the url. For example, I use something like:
AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL
The ssl specifies the security for the url in addition to the 'ldaps'. It's not documented overly well in my opinion.
I've also tried to quote each ldap's declaration. No go.
Can someone show me the clean way to achieve this ?
You need to quote the url anyway, if it contains spaces, otherwise it won't be parsed correctly.
Thanks Jim for your answer:
Jim Perrin wrote:
On 7/18/07, kfx kadafax@gmail.com wrote:
Hello, I'm trying this here first before moving to the apache list. Maybe someone of you use mod_authnz_ldap with multiple ldap servers declaration for redundancy.
I'm not certain that you can do this with multiple servers. You might consider looking at the mod_ldap connection pooling functions for better performance.
With one server declared it is working.
Here is what I've tried for adding another one (space separated as read in the apache's doc) : .... AuthLDAPURL ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
Result: Syntax error on line 43 of /etc/httpd/conf.d/trac.conf: Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTL>
You're getting this because technically your syntax is wrong. There are a couple separate parts to the AuthLDAPUrl string, one of which is a security directive which follows the url. For example, I use something like:
AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL
The ssl specifies the security for the url in addition to the 'ldaps'. It's not documented overly well in my opinion.
I agree:
http://httpd.apache.org/docs/2.2/mod/mod_ldap.html --> no indications on more than one ldap servers declaration
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html --> "host:port The name/port of the ldap server (defaults to |localhost:389| for |ldap|, and |localhost:636| for |ldaps|). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. |mod_authnz_ldap http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html| will try connecting to each server in turn, until it makes a successful connection."
That's what I'm trying to do, with no result...
How do you people achieve redundancy on LDAP based web authentication ?
Thx, kfx
On 7/18/07, kfx kadafax@gmail.com wrote:
Thanks Jim for your answer:
That's what I'm trying to do, with no result...
How do you people achieve redundancy on LDAP based web authentication ?
Our ldap servers are load balanced. I point to the pool address and let the load balancer handle it. For performance, we mostly just use connection/query pooling with mod_ldap