6

I've been trying to setup redundant LDAP servers with Apache 2.2.3.

/etc/httpd/conf.d/authn_alias.conf

<AuthnProviderAlias ldap master>
    AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

<AuthnProviderAlias ldap slave>
    AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

/etc/httpd/conf.d/authz_ldap.conf

#
# mod_authz_ldap can be used to implement access control and 
# authenticate users against an LDAP database.
# 

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>
   <Location />
        AuthBasicProvider master slave
        AuthzLDAPAuthoritative Off
        AuthType Basic
        AuthName "Authorization required"

        AuthzLDAPMemberKey member
        AuthUserFile /home/setup/svn/auth-conf
        AuthzLDAPSetGroupAuth user
        require valid-user
        AuthzLDAPLogLevel error
   </Location>
</IfModule>

If I understand correctly, mod_authz_ldap will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.

But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log shows:

[11061] auth_ldap authenticate: user quanta authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Did I misunderstand? AuthBasicProvider ldap1 ldap2 only means that if mod_authz_ldap can't find the user in ldap1, it will continue with ldap2. It doesn't include the failover feature (ldap1 must be running and working fine)?

quanta
  • 50,327
  • 19
  • 152
  • 213

2 Answers2

6

I'm far from beaing a specialist for LDAP but according to the mod_authnz_ldap docs you have to specify the failover LDAP server in the AuthLDAPUrl Directive like this

AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"

Edit: Clarification

You cannot set different filters for the failovers. A failover has to be a mirror of the primary server to serve the same data.

Christopher Perrin
  • 4,741
  • 17
  • 32
  • Thanks. This works: `AuthLDAPURL "ldap://ldap1:389 ldap2:389/dc=domain,dc=vn?cn?sub?(objectClass=*)"` but this doesn't: `AuthLDAPURL "ldap://ldap1:389/dc=domain,dc=vn?cn?sub?(objectClass=*) ldap2:389/dc=domain,dc=vn?cn?sub?(objectClass=*)"` (`Bad URL encountered while parsing LDAP URL`). What happens if I want to specify different filter for 2 ldaps? Moreover, does anyone else get it working with `mod_authz_ldap`? – quanta Jul 02 '12 at 04:25
  • 1
    A failover should be a copy of the main ldap server. Otherwise it would be no failover. – Christopher Perrin Jul 02 '12 at 15:18
2

What Christopher Perrin said, but also the default timeout is ten seconds, which you may want to shorten to five seconds so you 'fail fast' and people get a response back quicker.

TCP takes a couple seconds to detect lost network packets and re-transmit. Never set a timeout below 5 seconds or it might drop working connections erratically.

In a worldwide environment, say the web server is in an Asia branch but the LDAP is in the Europe headquarter, consider raising the timeout to 15 seconds.

user5994461
  • 2,749
  • 1
  • 17
  • 30
DAM
  • 21
  • 1