[Auth_ldap] support for multiple servers - any updates ? any other module ?
Ricardo Stella
stella at rider.edu
Thu Sep 15 12:38:36 PDT 2005
My guess is in my case, my baseDN includes spaces (old style), ie:
"o=This Organization, c=US"
Also, not clear if you need to specify basedn?attribute?scope?filter for
each (the example doesn't) ie:
AuthLDAPUrl ldap://server:port
ldap2://server:port/basedn?attribute?scope?filter
or
AuthLDAPUrl ldap://server:port/basedn?attribute?scope?filter
ldap2://server:port/basedn?attribute?scope?filter
Tried putting the basedn within quotes, but made no difference. We
cannot put the whole ldap string in quotes though...
Rohit Kumar Mehta wrote:
> hmm that looks like a fine way to do things. I will try it out!
>
> thanks :)
>
> Brady Bellinger wrote:
>
>> Does this not work for you (look for three asterisks)?
>>
>>
>> AuthLDAPUrl
>>
>> *Syntax:* <http://www.apache.org/docs/mod/directive-dict.html#Syntax>
>> AuthLDAPUrl / url /
>> *Context:*
>> <http://www.apache.org/docs/mod/directive-dict.html#Context>
>> directory, .htaccess
>> *Override:*
>> <http://www.apache.org/docs/mod/directive-dict.html#Override> AuthConfig
>> *Status:* <http://www.apache.org/docs/mod/directive-dict.html#Status>
>> Extension
>> *Module:* <http://www.apache.org/docs/mod/directive-dict.html#Module>
>> auth_ldap
>>
>> An RFC 2255 URL which specifies the LDAP search parameters to use.
>> The syntax of the URL is
>>
>> ldap://host:port/basedn?attribute?scope?filter
>>
>> ldap For regular ldap, use the string /ldap/. For secure LDAP,
>> use /ldaps/ instead. Secure LDAP is only available if auth_ldap was
>> compiled with SSL support.
>> host:port
>>
>> The name/port of the ldap server (defaults to /localhost:389/ for
>> /ldap/, and /localhost:636/ for /ldaps/).*** To specify multiple,
>> redundant LDAP servers, just list all servers, separated by spaces.
>> auth_ldap will try connecting to each server in turn, until it makes
>> a successful connection.***
>>
>> Once a connection has been made to a server, that connection remains
>> active for the life of the /httpd/ process, or until the LDAP server
>> goes down.
>>
>> If the LDAP server goes down and breaks an existing connection,
>> auth_ldap will attempt to re-connect, starting with the primary
>> server, and trying each redundant server in turn. Note that this is
>> different than a true round-robin search.
>>
>> basedn The DN of the branch of the directory where all searches
>> should start from. At the very least, this must be the top of your
>> directory tree, but could also specify a subtree in the directory.
>> attribute The attribute to search for. Although RFC 2255 allows a
>> comma-separated list of attributes, only the first attribute will be
>> used, no matter how many are provided. If no attributes are provided,
>> the default is to use uid. It's a good idea to choose an attribute
>> that will be unique across all entries in the subtree you will be using.
>> scope The scope of the search. Can be either /one/ or /sub/. Note
>> that a scope of /base/ is also supported by RFC 2255, but is not
>> supported by this module. If the scope is not provided, or if /base/
>> scope is specified, the default is to use a scope of /sub/.
>> filter A valid LDAP search filter. If not provided, defaults to
>> (objectClass=*), which will search for all objects in the tree.
>> Filters are limited to approximately 8000 characters (the definition
>> of /MAX_STRING_LEN/ in the Apache source code). This should be than
>> sufficient for any application.
>>
>> When doing searches, the attribute, filter and username passed by the
>> HTTP client are combined to create a search filter that looks like
>> (&(/filter/)(/attribute/=/username/)).
>>
>> For example, consider an URL of
>> /ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)
>> <ldap://ldap.airius.com/o=Airius?cn?sub?%28posixid=*%29>/. When a
>> client attempts to connect using a username of / Babs Jenson/, the
>> resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).
>>
>> See below for examples of AuthLDAPURL
>> <http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL>
>> URLs.
>>
>>
>>
>> On 9/15/05, *Rohit Kumar Mehta* <rohitm at engr.uconn.edu
>> <mailto:rohitm at engr.uconn.edu>> wrote:
>>
>> I want that too!
>> That would be a very valuable feature.
>>
>> We have 3 ldap servers and a ldap cname that points at one of them.
>> If we know we have to take that one down, we change the ldap cname.
>> However, that does not help us in the event of an unplanned outage.
>>
>> Rohit
>>
>> Ricardo Stella wrote:
>>
>> >I'm looking for multiple ldap servers support. Has anyone done any
>> >patches for it ?
>> >
>> >If not, does any one know of any other modules that would support
>> it ? I
>> >would rather have it being supported by the module than having to
>> rely
>> >on round robin DNS...
>> >
>> >Also, is this module dead ? TIA...
>> >
>> >TIA.
>> >
>> >
>> >
>> >_______________________________________________
>> >Auth_ldap mailing list
>> >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>> >http://www.rudedog.org/mailman/listinfo/auth_ldap
>> >
>> >
>>
>> _______________________________________________
>> Auth_ldap mailing list
>> Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>> http://www.rudedog.org/mailman/listinfo/auth_ldap
>>
>>
>>
>>
>> --
>> brady at bradybellinger dot com
>> To send me encrypted email or verify my signature, my public key is
>> available <a href="http://bradybellinger.com/brady.asc"
>> <http://bradybellinger.com/brady.asc%22>>here</a>.
>
>
>
--
°(((=((===°°°(((===========================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stella.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
Url : http://www.rudedog.org/pipermail/auth_ldap/attachments/20050915/f52723bc/attachment.vcf
More information about the Auth_ldap
mailing list