[Auth_ldap] support for multiple servers - any updates ? any other module ?

Brady Bellinger brady.bellinger at gmail.com
Mon Sep 19 09:23:26 PDT 2005 

I've never tested it...so I can't say if my config works or not.

I'm in the process of setting up a load-balancer / failover LDAP utility 
that I'm going to use with an application that does provide for failover...I 
would imagine you could use this as well...it's called "balance"...the 
website is http://www.inlab.de/balance.html

I haven't set it up yet, but it looks like it would do the trick.

Brady



On 9/19/05, Ricardo Stella <stella at rider.edu> wrote:
> 
> 
> No. It won't roll over to the next one. Not sure what the timeout
> would be, and there's no way to have it specified. I replied back to
> the list but not sure if it made it...
> 
> I'm tried several combinations like:
> 
> AuthLDAPUrl ldap://server:port
> ldap://server2:port/basedn?attribute?scope?filter
> or
> AuthLDAPUrl ldap://server:port/basedn?attribute?scope?filter
> ldap://server2:port/basedn?attribute?scope?filter
> 
> The thing is that my basedn is old style and has spaces in it, ie:
> o=My Organization, c=US
> 
> I tried putting the base within quotes but same thing, it never hits the
> next one. The hole ldap string can't be within quotes (module won't
> allow it). To verify redundancy, I have two servers, one of them down
> (the first ldap string).
> 
> Brady Bellinger wrote:
> 
> > Does this not work for you (look for three asterisks)?
> >
> >
> > AuthLDAPUrl
> >
> > *Syntax:* <http://www.apache.org/docs/mod/directive-dict.html#Syntax>
> > AuthLDAPUrl / url /
> > *Context:*
> > <http://www.apache.org/docs/mod/directive-dict.html#Context>
> > directory, .htaccess
> > *Override:*
> > <http://www.apache.org/docs/mod/directive-dict.html#Override> AuthConfig
> > *Status:* <http://www.apache.org/docs/mod/directive-dict.html#Status>
> > Extension
> > *Module:* <http://www.apache.org/docs/mod/directive-dict.html#Module>
> > auth_ldap
> >
> > An RFC 2255 URL which specifies the LDAP search parameters to use. The
> > syntax of the URL is
> >
> >ldap://host:port/basedn?attribute?scope?filter
> >
> > ldap For regular ldap, use the string /ldap/. For secure LDAP, use
> > /ldaps/ instead. Secure LDAP is only available if auth_ldap was
> > compiled with SSL support.
> > host:port
> >
> > The name/port of the ldap server (defaults to /localhost:389/ for
> > /ldap/, and /localhost:636/ for /ldaps/).*** To specify multiple,
> > redundant LDAP servers, just list all servers, separated by spaces.
> > auth_ldap will try connecting to each server in turn, until it makes a
> > successful connection.***
> >
> > Once a connection has been made to a server, that connection remains
> > active for the life of the /httpd/ process, or until the LDAP server
> > goes down.
> >
> > If the LDAP server goes down and breaks an existing connection,
> > auth_ldap will attempt to re-connect, starting with the primary
> > server, and trying each redundant server in turn. Note that this is
> > different than a true round-robin search.
> >
> > basedn The DN of the branch of the directory where all searches
> > should start from. At the very least, this must be the top of your
> > directory tree, but could also specify a subtree in the directory.
> > attribute The attribute to search for. Although RFC 2255 allows a
> > comma-separated list of attributes, only the first attribute will be
> > used, no matter how many are provided. If no attributes are provided,
> > the default is to use uid. It's a good idea to choose an attribute
> > that will be unique across all entries in the subtree you will be using.
> > scope The scope of the search. Can be either /one/ or /sub/. Note
> > that a scope of /base/ is also supported by RFC 2255, but is not
> > supported by this module. If the scope is not provided, or if /base/
> > scope is specified, the default is to use a scope of /sub/.
> > filter A valid LDAP search filter. If not provided, defaults to
> > (objectClass=*), which will search for all objects in the tree.
> > Filters are limited to approximately 8000 characters (the definition
> > of /MAX_STRING_LEN/ in the Apache source code). This should be than
> > sufficient for any application.
> >
> > When doing searches, the attribute, filter and username passed by the
> > HTTP client are combined to create a search filter that looks like
> > (&(/filter/)(/attribute/=/username/)).
> >
> > For example, consider an URL of
> > /ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)
> > <ldap://ldap.airius.com/o=Airius?cn?sub?%28posixid=*%29>/. When a
> > client attempts to connect using a username of / Babs Jenson/, the
> > resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).
> >
> > See below for examples of AuthLDAPURL
> > <http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL>
> > URLs.
> >
> >
> >
> > On 9/15/05, *Rohit Kumar Mehta* <rohitm at engr.uconn.edu
> > <mailto:rohitm at engr.uconn.edu>> wrote:
> >
> > I want that too!
> > That would be a very valuable feature.
> >
> > We have 3 ldap servers and a ldap cname that points at one of them.
> > If we know we have to take that one down, we change the ldap cname.
> > However, that does not help us in the event of an unplanned outage.
> >
> > Rohit
> >
> > Ricardo Stella wrote:
> >
> > >I'm looking for multiple ldap servers support. Has anyone done any
> > >patches for it ?
> > >
> > >If not, does any one know of any other modules that would support
> > it ? I
> > >would rather have it being supported by the module than having to
> > rely
> > >on round robin DNS...
> > >
> > >Also, is this module dead ? TIA...
> > >
> > >TIA.
> > >
> > >
> > >
> > >_______________________________________________
> > >Auth_ldap mailing list
> > >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
> > >http://www.rudedog.org/mailman/listinfo/auth_ldap
> > >
> > >
> >
> > _______________________________________________
> > Auth_ldap mailing list
> > Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
> > http://www.rudedog.org/mailman/listinfo/auth_ldap
> >
> >
> >
> >
> > --
> > brady at bradybellinger dot com
> > To send me encrypted email or verify my signature, my public key is
> > available <a href="http://bradybellinger.com/brady.asc"
> > <http://bradybellinger.com/brady.asc%22>>here</a>.
> >
> >------------------------------------------------------------------------
> >
> >_______________________________________________
> >Auth_ldap mailing list
> >Auth_ldap at rudedog.org
> >http://www.rudedog.org/mailman/listinfo/auth_ldap
> >
> >
> 
> --
> 
> °(((=((===°°°(((===========================================
> 
> 


-- 
brady at bradybellinger dot com
To send me encrypted email or verify my signature, my public key is 
available <a href="http://bradybellinger.com/brady.asc">here</a>.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.rudedog.org/pipermail/auth_ldap/attachments/20050919/ed93b65c/attachment.htm

More information about the Auth_ldap mailing list