[Auth_ldap] support for multiple servers - any updates ? any other module ?

Ricardo Stella stella at rider.edu
Mon Sep 19 09:13:28 PDT 2005 

No.  It won't roll over to the next one.  Not sure what the timeout
would be, and there's no way to have it specified.  I replied back to
the list but not sure if it made it...

I'm tried several combinations like:

AuthLDAPUrl   ldap://server:port
ldap://server2:port/basedn?attribute?scope?filter
or
AuthLDAPUrl   ldap://server:port/basedn?attribute?scope?filter
ldap://server2:port/basedn?attribute?scope?filter

The thing is that my basedn is old style and has spaces in it, ie:
o=My Organization, c=US

I tried putting the base within quotes but same thing, it never hits the
next one.  The hole ldap string can't be within quotes (module won't
allow it).  To verify redundancy, I have two servers, one of them down
(the first ldap string).

Brady Bellinger wrote:

> Does this not work for you (look for three asterisks)?
>
>
>       AuthLDAPUrl
>
> *Syntax:* <http://www.apache.org/docs/mod/directive-dict.html#Syntax>
> AuthLDAPUrl / url /
> *Context:*
> <http://www.apache.org/docs/mod/directive-dict.html#Context>
> directory, .htaccess
> *Override:*
> <http://www.apache.org/docs/mod/directive-dict.html#Override> AuthConfig
> *Status:* <http://www.apache.org/docs/mod/directive-dict.html#Status>
> Extension
> *Module:* <http://www.apache.org/docs/mod/directive-dict.html#Module>
> auth_ldap
>
> An RFC 2255 URL which specifies the LDAP search parameters to use. The
> syntax of the URL is
>
>ldap://host:port/basedn?attribute?scope?filter
>
> ldap 	For regular ldap, use the string /ldap/. For secure LDAP, use
> /ldaps/ instead. Secure LDAP is only available if auth_ldap was
> compiled with SSL support.
> host:port 	
>
> The name/port of the ldap server (defaults to /localhost:389/ for
> /ldap/, and /localhost:636/ for /ldaps/).*** To specify multiple,
> redundant LDAP servers, just list all servers, separated by spaces.
> auth_ldap will try connecting to each server in turn, until it makes a
> successful connection.***
>
> Once a connection has been made to a server, that connection remains
> active for the life of the /httpd/ process, or until the LDAP server
> goes down.
>
> If the LDAP server goes down and breaks an existing connection,
> auth_ldap will attempt to re-connect, starting with the primary
> server, and trying each redundant server in turn. Note that this is
> different than a true round-robin search.
>
> basedn 	The DN of the branch of the directory where all searches
> should start from. At the very least, this must be the top of your
> directory tree, but could also specify a subtree in the directory.
> attribute 	The attribute to search for. Although RFC 2255 allows a
> comma-separated list of attributes, only the first attribute will be
> used, no matter how many are provided. If no attributes are provided,
> the default is to use uid. It's a good idea to choose an attribute
> that will be unique across all entries in the subtree you will be using.
> scope 	The scope of the search. Can be either /one/ or /sub/. Note
> that a scope of /base/ is also supported by RFC 2255, but is not
> supported by this module. If the scope is not provided, or if /base/
> scope is specified, the default is to use a scope of /sub/.
> filter 	A valid LDAP search filter. If not provided, defaults to
> (objectClass=*), which will search for all objects in the tree.
> Filters are limited to approximately 8000 characters (the definition
> of /MAX_STRING_LEN/ in the Apache source code). This should be than
> sufficient for any application.
>
> When doing searches, the attribute, filter and username passed by the
> HTTP client are combined to create a search filter that looks like
> (&(/filter/)(/attribute/=/username/)).
>
> For example, consider an URL of
> /ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)
> <ldap://ldap.airius.com/o=Airius?cn?sub?%28posixid=*%29>/. When a
> client attempts to connect using a username of / Babs Jenson/, the
> resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).
>
> See below for examples of AuthLDAPURL
> <http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL>
> URLs.
>
>
>
> On 9/15/05, *Rohit Kumar Mehta* <rohitm at engr.uconn.edu
> <mailto:rohitm at engr.uconn.edu>> wrote:
>
>     I want that too!
>     That would be a very valuable feature.
>
>     We have 3 ldap servers and a ldap cname that points at one of them.
>     If we know we have to take that one down, we change the ldap cname.
>     However, that does not help us in the event of an unplanned outage.
>
>     Rohit
>
>     Ricardo Stella wrote:
>
>     >I'm looking for multiple ldap servers support.  Has anyone done any
>     >patches for it ?
>     >
>     >If not, does any one know of any other modules that would support
>     it ? I
>     >would rather have it being supported by the module than having to
>     rely
>     >on round robin DNS...
>     >
>     >Also, is this module dead ? TIA...
>     >
>     >TIA.
>     >
>     >
>     >
>     >_______________________________________________
>     >Auth_ldap mailing list
>     >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>     >http://www.rudedog.org/mailman/listinfo/auth_ldap
>     >
>     >
>
>     _______________________________________________
>     Auth_ldap mailing list
>     Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
>     http://www.rudedog.org/mailman/listinfo/auth_ldap
>
>
>
>
> -- 
> brady at bradybellinger dot com
> To send me encrypted email or verify my signature, my public key is
> available <a href="http://bradybellinger.com/brady.asc"
> <http://bradybellinger.com/brady.asc%22>>here</a>.
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Auth_ldap mailing list
>Auth_ldap at rudedog.org
>http://www.rudedog.org/mailman/listinfo/auth_ldap
>  
>

-- 

°(((=((===°°°(((===========================================

More information about the Auth_ldap mailing list