According to instructions, I have configured multiple LDAP sources for redundancy. I have found some problems with the configuration.
If an ldap service is not working on the designated ldap server instead of going to the next server in the list, work does not progress through the other entries in the list things just hang.
If an ldap server is down and not working, it throws a 5xx internal server error does not progress through the other entries in the list.
Are these apache bugs or should I be including more directives to properly configure the redundancy?
Section of http.conf in question:
<AuthnProviderAlias ldap ldap1>
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap1.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
AuthLDAPBindPassword "SECRET"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap2>
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap2.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
AuthLDAPBindPassword "SECRET"
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap3>
AuthBasicProvider ldap
AuthLDAPURL "ldap://ldap3.server.com:389/dc=server,dc=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=matcher,OU=Application Accounts,dc=server,dc=com"
AuthLDAPBindPassword "SECRET"
</AuthnProviderAlias>
<AuthnProviderAlias file file1>
AuthUserFile /etc/mdpctest/htpasswd.users
</AuthnProviderAlias>
<Directory /srv/www/htdocs/mdptest>
Order deny,allow
Deny from All
AuthName "Request Access"
AuthType Basic
AuthBasicProvider file1 ldap1 ldap2 ldap3
AuthzLDAPAuthoritative on
require valid-user
Satisfy any
</Directory>
The Apache Versioning information is:
Server version: Apache/2.2.12 (Linux/SUSE)
Server built: Nov 30 2011 17:54:13
Server's Module Magic Number: 20051115:23
Server loaded: APR 1.3.3, APR-Util 1.3.4
Compiled using: APR 1.3.3, APR-Util 1.3.4
Architecture: 64-bit
Server MPM: Prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/prefork"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=128
-D HTTPD_ROOT="/srv/www"
-D SUEXEC_BIN="/usr/sbin/suexec2"
-D DEFAULT_PIDLOG="/var/run/httpd2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_LOCKFILE="/var/run/accept.lock"
-D DEFAULT_ERRORLOG="/var/log/apache2/error_log"
-D AP_TYPES_CONFIG_FILE="/etc/apache2/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/httpd.conf"
Well this has worked for me:
I didn't need any quotes and separating the servers with a space didn't work. (Apache/2.2.14)
The answer is specify the multiple source in the LDAP configuration record.
Notice the space separating the host specs in the AuthLDAPURL as well as the fact that the directive is enclosed in quotes:
Section of http.conf in question: