I've been trying to setup redundant LDAP servers with Apache 2.2.3.
/etc/httpd/conf.d/authn_alias.conf
<AuthnProviderAlias ldap master>
AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
<AuthnProviderAlias ldap slave>
AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
/etc/httpd/conf.d/authz_ldap.conf
#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
<Location />
AuthBasicProvider master slave
AuthzLDAPAuthoritative Off
AuthType Basic
AuthName "Authorization required"
AuthzLDAPMemberKey member
AuthUserFile /home/setup/svn/auth-conf
AuthzLDAPSetGroupAuth user
require valid-user
AuthzLDAPLogLevel error
</Location>
</IfModule>
If I understand correctly, mod_authz_ldap
will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.
But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log
shows:
[11061] auth_ldap authenticate: user quanta authentication failed;
URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
Did I misunderstand? AuthBasicProvider ldap1 ldap2
only means that if mod_authz_ldap
can't find the user in ldap1, it will continue with ldap2. It doesn't include the failover feature (ldap1 must be running and working fine)?
I'm far from beaing a specialist for LDAP but according to the mod_authnz_ldap docs you have to specify the failover LDAP server in the AuthLDAPUrl Directive like this
Edit: Clarification
You cannot set different filters for the failovers. A failover has to be a mirror of the primary server to serve the same data.
What Christopher Perrin said, but also the default timeout is ten seconds, which you may want to shorten to five seconds so you 'fail fast' and people get a response back quicker.
TCP takes a couple seconds to detect lost network packets and re-transmit. Never set a timeout below 5 seconds or it might drop working connections erratically.
In a worldwide environment, say the web server is in an Asia branch but the LDAP is in the Europe headquarter, consider raising the timeout to 15 seconds.