[Auth_ldap] support for multiple servers - any updates ? any other module ?

Brady Bellinger brady.bellinger at gmail.com
Thu Sep 15 12:07:43 PDT 2005 

Does this not work for you (look for three asterisks)?

AuthLDAPUrl 

*Syntax:* <http://www.apache.org/docs/mod/directive-dict.html#Syntax>AuthLDAPUrl
* url * 
*Context:* <http://www.apache.org/docs/mod/directive-dict.html#Context>directory,
.htaccess
*Override:* <http://www.apache.org/docs/mod/directive-dict.html#Override>AuthConfig
*Status:* <http://www.apache.org/docs/mod/directive-dict.html#Status>Extension
*Module:* <http://www.apache.org/docs/mod/directive-dict.html#Module>auth_ldap

An RFC 2255 URL which specifies the LDAP search parameters to use. The 
syntax of the URL is 

ldap://host:port/basedn?attribute?scope?filter

 ldap For regular ldap, use the string *ldap*. For secure LDAP, use
*ldaps*instead. Secure LDAP is only available if auth_ldap was
compiled with SSL
support.  host:port 

The name/port of the ldap server (defaults to *localhost:389* for *ldap*, 
and *localhost:636* for *ldaps*).*** To specify multiple, redundant LDAP 
servers, just list all servers, separated by spaces. auth_ldap will try 
connecting to each server in turn, until it makes a successful 
connection.*** 

Once a connection has been made to a server, that connection remains active 
for the life of the *httpd* process, or until the LDAP server goes down. 

If the LDAP server goes down and breaks an existing connection, auth_ldap 
will attempt to re-connect, starting with the primary server, and trying 
each redundant server in turn. Note that this is different than a true 
round-robin search. 
  basedn The DN of the branch of the directory where all searches should 
start from. At the very least, this must be the top of your directory tree, 
but could also specify a subtree in the directory.  attribute The attribute 
to search for. Although RFC 2255 allows a comma-separated list of 
attributes, only the first attribute will be used, no matter how many are 
provided. If no attributes are provided, the default is to use uid. It's a 
good idea to choose an attribute that will be unique across all entries in 
the subtree you will be using.  scope The scope of the search. Can be either 
*one* or *sub*. Note that a scope of *base* is also supported by RFC 2255, 
but is not supported by this module. If the scope is not provided, or if *
base* scope is specified, the default is to use a scope of *sub*.  filter A 
valid LDAP search filter. If not provided, defaults to (objectClass=*), 
which will search for all objects in the tree. Filters are limited to 
approximately 8000 characters (the definition of *MAX_STRING_LEN* in the 
Apache source code). This should be than sufficient for any application.   

When doing searches, the attribute, filter and username passed by the HTTP 
client are combined to create a search filter that looks like (&(*filter*)(*
attribute*=*username*)). 

For example, consider an URL of *
ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)*. When a client attempts 
to connect using a username of * Babs Jenson*, the resulting search filter 
will be (&(posixid=*)(cn=Babs Jenson)). 

See below for examples of
AuthLDAPURL<http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL>URLs.


On 9/15/05, Rohit Kumar Mehta <rohitm at engr.uconn.edu> wrote:
> 
> I want that too!
> That would be a very valuable feature.
> 
> We have 3 ldap servers and a ldap cname that points at one of them.
> If we know we have to take that one down, we change the ldap cname.
> However, that does not help us in the event of an unplanned outage.
> 
> Rohit
> 
> Ricardo Stella wrote:
> 
> >I'm looking for multiple ldap servers support. Has anyone done any
> >patches for it ?
> >
> >If not, does any one know of any other modules that would support it ? I
> >would rather have it being supported by the module than having to rely
> >on round robin DNS...
> >
> >Also, is this module dead ? TIA...
> >
> >TIA.
> >
> >
> >
> >_______________________________________________
> >Auth_ldap mailing list
> >Auth_ldap at rudedog.org
> >http://www.rudedog.org/mailman/listinfo/auth_ldap
> >
> >
> 
> _______________________________________________
> Auth_ldap mailing list
> Auth_ldap at rudedog.org
> http://www.rudedog.org/mailman/listinfo/auth_ldap
> 



-- 
brady at bradybellinger dot com
To send me encrypted email or verify my signature, my public key is 
available <a href="http://bradybellinger.com/brady.asc">here</a>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.rudedog.org/pipermail/auth_ldap/attachments/20050915/cb20e553/attachment.htm

More information about the Auth_ldap mailing list