[Auth_ldap] support for multiple servers - any updates ? any other module ?
Ricardo Stella
stella at rider.edu
Mon Sep 19 09:53:35 PDT 2005
Where would you pub balance ? In the local host and then tell it to
point to the real ones ? That would be an interesting idea:
AuthLDAPUrl ldap://localhost...
and then run:
balance 389 ldap1 ldap2 ldap3
Would try that as well !
Brady Bellinger wrote:
> I've never tested it...so I can't say if my config works or not.
>
> I'm in the process of setting up a load-balancer / failover LDAP
> utility that I'm going to use with an application that does provide
> for failover...I would imagine you could use this as well...it's
> called "balance"...the website is http://www.inlab.de/balance.html
>
> I haven't set it up yet, but it looks like it would do the trick.
>
> Brady
>
>
>
> On 9/19/05, *Ricardo Stella* <stella at rider.edu
> <mailto:stella at rider.edu>> wrote:
>
>
> No. It won't roll over to the next one. Not sure what the timeout
> would be, and there's no way to have it specified. I replied back to
> the list but not sure if it made it...
>
> I'm tried several combinations like:
>
> AuthLDAPUrl ldap://server:port
> ldap://server2:port/basedn?attribute?scope?filter
> or
> AuthLDAPUrl ldap://server:port/basedn?attribute?scope?filter
> ldap://server2:port/basedn?attribute?scope?filter
>
> The thing is that my basedn is old style and has spaces in it, ie:
> o=My Organization, c=US
>
> I tried putting the base within quotes but same thing, it never
> hits the
> next one. The hole ldap string can't be within quotes (module won't
> allow it). To verify redundancy, I have two servers, one of them
> down
> (the first ldap string).
>
> Brady Bellinger wrote:
>
> > Does this not work for you (look for three asterisks)?
> >
> >
> > AuthLDAPUrl
> >
> > *Syntax:* <
> http://www.apache.org/docs/mod/directive-dict.html#Syntax>
> > AuthLDAPUrl / url /
> > *Context:*
> > <http://www.apache.org/docs/mod/directive-dict.html#Context
> <http://www.apache.org/docs/mod/directive-dict.html#Context>>
> > directory, .htaccess
> > *Override:*
> > <http://www.apache.org/docs/mod/directive-dict.html#Override>
> AuthConfig
> > *Status:*
> <http://www.apache.org/docs/mod/directive-dict.html#Status>
> > Extension
> > *Module:* <
> http://www.apache.org/docs/mod/directive-dict.html#Module>
> > auth_ldap
> >
> > An RFC 2255 URL which specifies the LDAP search parameters to
> use. The
> > syntax of the URL is
> >
> > ldap://host:port/basedn?attribute?scope?filter
> >
> > ldap For regular ldap, use the string /ldap/. For secure LDAP, use
> > /ldaps/ instead. Secure LDAP is only available if auth_ldap was
> > compiled with SSL support.
> > host:port
> >
> > The name/port of the ldap server (defaults to /localhost:389/ for
> > /ldap/, and /localhost:636/ for /ldaps/).*** To specify multiple,
> > redundant LDAP servers, just list all servers, separated by spaces.
> > auth_ldap will try connecting to each server in turn, until it
> makes a
> > successful connection.***
> >
> > Once a connection has been made to a server, that connection remains
> > active for the life of the /httpd/ process, or until the LDAP
> server
> > goes down.
> >
> > If the LDAP server goes down and breaks an existing connection,
> > auth_ldap will attempt to re-connect, starting with the primary
> > server, and trying each redundant server in turn. Note that this is
> > different than a true round-robin search.
> >
> > basedn The DN of the branch of the directory where all
> searches
> > should start from. At the very least, this must be the top of your
> > directory tree, but could also specify a subtree in the directory.
> > attribute The attribute to search for. Although RFC 2255
> allows a
> > comma-separated list of attributes, only the first attribute will be
> > used, no matter how many are provided. If no attributes are
> provided,
> > the default is to use uid. It's a good idea to choose an attribute
> > that will be unique across all entries in the subtree you will
> be using.
> > scope The scope of the search. Can be either /one/ or
> /sub/. Note
> > that a scope of /base/ is also supported by RFC 2255, but is not
> > supported by this module. If the scope is not provided, or if /base/
> > scope is specified, the default is to use a scope of /sub/.
> > filter A valid LDAP search filter. If not provided,
> defaults to
> > (objectClass=*), which will search for all objects in the tree.
> > Filters are limited to approximately 8000 characters (the
> definition
> > of /MAX_STRING_LEN/ in the Apache source code). This should be than
> > sufficient for any application.
> >
> > When doing searches, the attribute, filter and username passed
> by the
> > HTTP client are combined to create a search filter that looks like
> > (&(/filter/)(/attribute/=/username/)).
> >
> > For example, consider an URL of
> > /ldap://ldap.airius.com/o=Airius?cn?sub?(posixid=*)
> > < ldap://ldap.airius.com/o=Airius?cn?sub?%28posixid=*%29>/. When a
> > client attempts to connect using a username of / Babs Jenson/, the
> > resulting search filter will be (&(posixid=*)(cn=Babs Jenson)).
> >
> > See below for examples of AuthLDAPURL
> >
> <http://www.rudedog.org/auth_ldap/1.6/auth_ldap.html#dir:AuthLDAPURL>
> > URLs.
> >
> >
> >
> > On 9/15/05, *Rohit Kumar Mehta* <rohitm at engr.uconn.edu
> <mailto:rohitm at engr.uconn.edu>
> > <mailto:rohitm at engr.uconn.edu <mailto:rohitm at engr.uconn.edu>>>
> wrote:
> >
> > I want that too!
> > That would be a very valuable feature.
> >
> > We have 3 ldap servers and a ldap cname that points at one
> of them.
> > If we know we have to take that one down, we change the ldap
> cname.
> > However, that does not help us in the event of an unplanned
> outage.
> >
> > Rohit
> >
> > Ricardo Stella wrote:
> >
> > >I'm looking for multiple ldap servers support. Has anyone
> done any
> > >patches for it ?
> > >
> > >If not, does any one know of any other modules that would
> support
> > it ? I
> > >would rather have it being supported by the module than
> having to
> > rely
> > >on round robin DNS...
> > >
> > >Also, is this module dead ? TIA...
> > >
> > >TIA.
> > >
> > >
> > >
> > >_______________________________________________
> > >Auth_ldap mailing list
> > >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
> <mailto:Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>>
> > > http://www.rudedog.org/mailman/listinfo/auth_ldap
> > >
> > >
> >
> > _______________________________________________
> > Auth_ldap mailing list
> > Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
> <mailto:Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>>
> > http://www.rudedog.org/mailman/listinfo/auth_ldap
> <http://www.rudedog.org/mailman/listinfo/auth_ldap>
> >
> >
> >
> >
> > --
> > brady at bradybellinger dot com
> > To send me encrypted email or verify my signature, my public key is
> > available <a href=" http://bradybellinger.com/brady.asc"
> > <http://bradybellinger.com/brady.asc%22>>here</a>.
> >
> >------------------------------------------------------------------------
>
> >
> >_______________________________________________
> >Auth_ldap mailing list
> >Auth_ldap at rudedog.org <mailto:Auth_ldap at rudedog.org>
> > http://www.rudedog.org/mailman/listinfo/auth_ldap
> >
> >
>
> --
>
> °(((=((===°°°(((===========================================
>
>
>
>
> --
> brady at bradybellinger dot com
> To send me encrypted email or verify my signature, my public key is
> available <a href="http://bradybellinger.com/brady.asc"
> <http://bradybellinger.com/brady.asc%22>>here</a>.
--
°(((=((===°°°(((===========================================
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stella.vcf
Type: text/x-vcard
Size: 146 bytes
Desc: not available
Url : http://www.rudedog.org/pipermail/auth_ldap/attachments/20050919/e2509e3f/attachment.vcf
More information about the Auth_ldap
mailing list