[CentOS] apache mod_authnz_ldap: multiple servers syntaxes

Wed Jul 18 13:58:19 UTC 2007
kfx <kadafax at gmail.com>

Thanks Jim for your answer:

Jim Perrin wrote:
> On 7/18/07, kfx <kadafax at gmail.com> wrote:
>> Hello,
>> I'm trying this here first before moving to the apache list. Maybe
>> someone of you use mod_authnz_ldap with multiple ldap servers
>> declaration for redundancy.
>
> I'm not certain that you can do this with multiple servers. You might
> consider looking at the mod_ldap connection pooling functions for
> better performance.
>
>> With one server declared it is working.
>>
>> Here is what I've tried for adding another one (space separated as read
>> in the apache's doc) :
>> ....
>> AuthLDAPURL
>> ldaps://ldap1.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
>>
>> ldaps://ldap2.example.com/ou=People,dc=example,dc=com?uid??(businessCategory=foo)
>>
>
>> Result:
>> Syntax error on line 43 of /etc/httpd/conf.d/trac.conf:
>> Invalid LDAP connection mode setting: must be one of NONE, SSL, or
>> TLS/STARTTL>
>
> You're getting this because technically your syntax is wrong. There
> are a couple separate parts to the AuthLDAPUrl string, one of which is
> a security directive which follows the url. For example, I use
> something like:
>
> AuthLDAPUrl "ldaps://my.server.here/ou=foo,ou=bar, o=u.s, c=us?cn" SSL
>
> The ssl specifies the security for the url in addition to the 'ldaps'.
> It's not documented overly well in my opinion.
>
I agree:

http://httpd.apache.org/docs/2.2/mod/mod_ldap.html  
--> no indications on more than one ldap servers declaration

http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
-->
"host:port
The name/port of the ldap server (defaults to |localhost:389| for
|ldap|, and |localhost:636| for |ldaps|). To specify multiple, redundant
LDAP servers, just list all servers, separated by spaces.
|mod_authnz_ldap
<http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html>| will try
connecting to each server in turn, until it makes a successful connection."

That's what I'm trying to do, with no result...

How do you people achieve redundancy on LDAP based web authentication ?

Thx,
kfx