[Auth_ldap] support for multiple servers - any updates ? any other module ?

Rohit Kumar Mehta rohitm at engr.uconn.edu
Thu Sep 15 12:26:40 PDT 2005 

hmm that looks like a fine way to do things.  I will try it out!

thanks :)

Brady Bellinger wrote:

> Does this not work for you (look for three asterisks)?
>
>
>       AuthLDAPUrl
>
> *Syntax:* <http://www.apache.org/docs/mod/directive-dict.html#Syntax> 
> AuthLDAPUrl / url /
> *Context:* 
> <http://www.apache.org/docs/mod/directive-dict.html#Context> 
> directory, .htaccess
> *Override:* 
> <http://www.apache.org/docs/mod/directive-dict.html#Override> AuthConfig
> *Status:* <http://www.apache.org/docs/mod/directive-dict.html#Status> 
> Extension
> *Module:* <http://www.apache.org/docs/mod/directive-dict.html#Module> 
> auth_ldap
>
> An RFC 2255 URL which specifies the LDAP search parameters to use. The 
> syntax of the URL is
>
>ldap://host:port/basedn?attribute?scope?filter
>
> ldap 	For regular ldap, use the string /ldap/. For secure LDAP, use 
> /ldaps/ instead. Secure LDAP is only available if auth_ldap was 
> compiled with SSL support.
> host:port 	
>
> The name/port of the ldap server (defaults to /localhost:389/ for 
> /ldap/, and /localhost:636/ for /ldaps/).*** To specify multiple, 
> redundant LDAP servers, just list all servers, separated by spaces. 
> auth_ldap will try connecting to each server in turn, until it makes a 
> successful connection.***
>
> Once a connection has been made to a server, that connection remains 
> active for the life of the /httpd/ process, or until the LDAP server 
> goes down.
>
> If the LDAP server goes down and breaks an existing connection, 
> auth_ldap will attempt to re-connect, starting with the primary 
> server, and trying each redundant server in turn. Note that this is 
> different than a true round-robin search.
>
> basedn 	The DN of the branch of the directory where all searches 
> should start from. At the very least, this must be the top of your 
> directory tree, but could also specify a subtree in the directory.
> attribute 	The attribute to search for. Although RFC 2255 allows a 
> comma-separated list of attributes, only the first attribute will be 
> used, no matter how many are provided. If no attributes are provided, 
> the default is to use uid. It's a good idea to choose an attribute 
> that will be unique across all entries in the subtree you will be using.
> scope 	The scope of the search. Can be either /one/ or /sub/. Note 
> that a scope of /base/ is also supported by RFC 2255, but is not 
> supported by this module. If the scope is not provided, or if /base/ 
> scope is specified, the default is to use a scope of /sub/.
> filter 	A valid LDAP search filter. If not provided, defaults to 
> (objectClass=*), which will search for all objects in the tree. 
> Filters are limited to approximately 8000 characters (the definition 
> of /MAX_STRING_LEN/ in the Apache source code). This should be than 
> sufficient for any application.
>
> When doing searches, the attribute, filter and username passed by the 
> HTTP client are combined to create a search filter that looks like 
> (&(/filter/)(/attribute/=/username/)).
>
> For example, consider an URL of 
> /ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*) 
> <ldap://ldap.airius.com/o=Airius?cn?sub?%28posixid=*%29>/. When a 
> client attempts to connect using a username of / Babs Jenson/, the 
> resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).
>
> See below for examples of AuthLDAPURL 
> <http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL> 
> URLs.
>
>
>
> On 9/15/05, *Rohit Kumar Mehta* <rohitm at engr.uconn.edu 
> <mailto:rohitm at engr.uconn.edu>> wrote:
>
>     I want that too!
>     That would be a very valuable feature.
>
>     We have 3 ldap servers and a ldap cname that points at one of them.
>     If we know we have to take that one down, we change the ldap cname.
>     However, that does not help us in the event of an unplanned outage.
>
>     Rohit
>
>     Ricardo Stella wrote:
>
>     >I'm looking for multiple ldap servers support.  Has anyone done any
>     >patches for it ?
>     >
>     >If not, does any one know of any other modules that would support
>     it ? I
>     >would rather have it being supported by the module than having to
>     rely
>     >on round robin DNS...
>     >
>     >Also, is this module dead ? TIA...
>     >
>     >TIA.
>     >
>     >
>     >
>     >_______________________________________________
>     >Auth_ldap mailing list
>     >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>     >http://www.rudedog.org/mailman/listinfo/auth_ldap
>     >
>     >
>
>     _______________________________________________
>     Auth_ldap mailing list
>     Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>     http://www.rudedog.org/mailman/listinfo/auth_ldap
>
>
>
>
> -- 
> brady at bradybellinger dot com
> To send me encrypted email or verify my signature, my public key is 
> available <a href="http://bradybellinger.com/brady.asc" 
> <http://bradybellinger.com/brady.asc%22>>here</a>.

More information about the Auth_ldap mailing list