1

According to instructions, I have configured multiple LDAP sources for redundancy. I have found some problems with the configuration.

  1. If an ldap service is not working on the designated ldap server instead of going to the next server in the list, work does not progress through the other entries in the list things just hang.

  2. If an ldap server is down and not working, it throws a 5xx internal server error does not progress through the other entries in the list.

Are these apache bugs or should I be including more directives to properly configure the redundancy?

Section of http.conf in question:

 <AuthnProviderAlias ldap ldap1>     
     AuthBasicProvider ldap
     AuthLDAPURL "ldap://ldap1.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
     AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
     AuthLDAPBindPassword "SECRET"
 </AuthnProviderAlias>

 <AuthnProviderAlias ldap ldap2>
     AuthBasicProvider ldap
     AuthLDAPURL "ldap://ldap2.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
     AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
     AuthLDAPBindPassword "SECRET"
 </AuthnProviderAlias>

 <AuthnProviderAlias ldap ldap3>
     AuthBasicProvider ldap
     AuthLDAPURL "ldap://ldap3.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
     AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
     AuthLDAPBindPassword "SECRET"
 </AuthnProviderAlias>


 <AuthnProviderAlias file file1>
         AuthUserFile /etc/mdpctest/htpasswd.users
 </AuthnProviderAlias>

 <Directory /srv/www/htdocs/mdptest>
 Order deny,allow
 Deny from All
 AuthName "Request Access"
 AuthType Basic
 AuthBasicProvider file1 ldap1 ldap2 ldap3
 AuthzLDAPAuthoritative on
 require valid-user
 Satisfy any
 </Directory>

The Apache Versioning information is:

 Server version: Apache/2.2.12 (Linux/SUSE)
 Server built:   Nov 30 2011 17:54:13
 Server's Module Magic Number: 20051115:23
 Server loaded:  APR 1.3.3, APR-Util 1.3.4
 Compiled using: APR 1.3.3, APR-Util 1.3.4
 Architecture:   64-bit
 Server MPM:     Prefork
   threaded:     no
     forked:     yes (variable process count)
 Server compiled with....
  -D APACHE_MPM_DIR="server/mpm/prefork"
  -D APR_HAS_SENDFILE
  -D APR_HAS_MMAP
  -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
  -D APR_USE_SYSVSEM_SERIALIZE
  -D APR_USE_PTHREAD_SERIALIZE
  -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
  -D APR_HAS_OTHER_CHILD
  -D AP_HAVE_RELIABLE_PIPED_LOGS
  -D DYNAMIC_MODULE_LIMIT=128
  -D HTTPD_ROOT="/srv/www"
  -D SUEXEC_BIN="/usr/sbin/suexec2"
  -D DEFAULT_PIDLOG="/var/run/httpd2.pid"
  -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
  -D DEFAULT_LOCKFILE="/var/run/accept.lock"
  -D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
  -D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
  -D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
mdpc
  • 11,856
  • 28
  • 53
  • 67
  • Have tried AuthzLDAPAuthoritative on both in the off and on position with no effect. – mdpc Feb 16 '12 at 20:30

2 Answers2

1

Well this has worked for me:

AuthLDAPURL ldap://ldap.company.com:389,ldapbackup.company.com:1389/ou=Users,dc=company,dc=com?uid

I didn't need any quotes and separating the servers with a space didn't work. (Apache/2.2.14)

Jure1873
  • 3,702
  • 1
  • 22
  • 28
  • I'm wondering if the QUOTES are necessary since there is a space between the parameters. (The format comes from the Apache website). Also, wondering if some smart programmer put in the parse for the COMMA character realizing the problem with the SPACE in the first place? – mdpc Feb 21 '12 at 23:35
  • Hehe it may be so, but I didn't check the source. – Jure1873 Feb 22 '12 at 16:20
0

The answer is specify the multiple source in the LDAP configuration record.

Notice the space separating the host specs in the AuthLDAPURL as well as the fact that the directive is enclosed in quotes:

Section of http.conf in question:

 <AuthnProviderAlias ldap ldap1>     
     AuthBasicProvider ldap
     AuthLDAPURL "ldap://ldap1.server.com:389 ldap2.server.com:389 ldap3.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
     AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
     AuthLDAPBindPassword "SECRET"
 </AuthnProviderAlias>

 <AuthnProviderAlias file file1>
         AuthUserFile /etc/mdpctest/htpasswd.users
 </AuthnProviderAlias>

 <Directory /srv/www/htdocs/mdptest>
 Order deny,allow
 Deny from All
 AuthName "Request Access"
 AuthType Basic
 AuthBasicProvider file1 ldap1
 AuthzLDAPAuthoritative on
 require valid-user
 Satisfy any
 </Directory>
mdpc
  • 11,856
  • 28
  • 53
  • 67