[CentOS] apache mod_authnz_ldap: multiple servers syntaxes

Jim Perrin jperrin at gmail.com
Wed Jul 18 13:21:42 UTC 2007


On 7/18/07, kfx <kadafax at gmail.com> wrote:
> Hello,
> I'm trying this here first before moving to the apache list. Maybe
> someone of you use mod_authnz_ldap with multiple ldap servers
> declaration for redundancy.

I'm not certain that you can do this with multiple servers. You might
consider looking at the mod_ldap connection pooling functions for
better performance.

> With one server declared it is working.
>
> Here is what I've tried for adding another one (space separated as read
> in the apache's doc) :
> ....
> AuthLDAPURL
> ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
> ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)

> Result:
> Syntax error on line 43 of /etc/httpd/conf.d/trac.conf:
> Invalid LDAP connection mode setting: must be one of NONE, SSL, or
> TLS/STARTTL>

You're getting this because technically your syntax is wrong. There
are a couple separate parts to the AuthLDAPUrl string, one of which is
a security directive which follows the url. For example, I use
something like:

AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL

The ssl specifies the security for the url in addition to the 'ldaps'.
It's not documented overly well in my opinion.


> I've also tried to quote each ldap's declaration. No go.
>
> Can someone show me the clean way to achieve this ?
>

You need to quote the url anyway, if it contains spaces, otherwise it
won't be parsed correctly.



-- 
During times of universal deceit, telling the truth becomes a revolutionary act.
George Orwell



More information about the CentOS mailing list