I've been trying to setup redundant LDAP servers with Apache 2.2.3.
/etc/httpd/conf.d/authn_alias.conf
<AuthnProviderAlias ldap master>
AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
<AuthnProviderAlias ldap slave>
AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
/etc/httpd/conf.d/authz_ldap.conf
#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
<Location />
AuthBasicProvider master slave
AuthzLDAPAuthoritative Off
AuthType Basic
AuthName "Authorization required"
AuthzLDAPMemberKey member
AuthUserFile /home/setup/svn/auth-conf
AuthzLDAPSetGroupAuth user
require valid-user
AuthzLDAPLogLevel error
</Location>
</IfModule>
If I understand correctly, mod_authz_ldap
will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.
But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log
shows:
[11061] auth_ldap authenticate: user quanta authentication failed;
URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
Did I misunderstand? AuthBasicProvider ldap1 ldap2
only means that if mod_authz_ldap
can't find the user in ldap1, it will continue with ldap2. It doesn't include the failover feature (ldap1 must be running and working fine)?
Best Answer
I'm far from beaing a specialist for LDAP but according to the mod_authnz_ldap docs you have to specify the failover LDAP server in the AuthLDAPUrl Directive like this
Edit: Clarification
You cannot set different filters for the failovers. A failover has to be a mirror of the primary server to serve the same data.