Multiple LDAP servers with mod_authn_alias: failover not working when the first LDAP is down?

apache-2.2 failover openldap mod-authn-alias

I've been trying to setup redundant LDAP servers with Apache 2.2.3.

/etc/httpd/conf.d/authn_alias.conf 

<AuthnProviderAlias ldap master>
    AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

<AuthnProviderAlias ldap slave>
    AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

/etc/httpd/conf.d/authz_ldap.conf 

#
# mod_authz_ldap can be used to implement access control and 
# authenticate users against an LDAP database.
# 

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>
   <Location />
        AuthBasicProvider master slave
        AuthzLDAPAuthoritative Off
        AuthType Basic
        AuthName "Authorization required"

        AuthzLDAPMemberKey member
        AuthUserFile /home/setup/svn/auth-conf
        AuthzLDAPSetGroupAuth user
        require valid-user
        AuthzLDAPLogLevel error
   </Location>
</IfModule>

If I understand correctly, mod_authz_ldap will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.

But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log shows:

[11061] auth_ldap authenticate: user quanta authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Did I misunderstand? AuthBasicProvider ldap1 ldap2 only means that if mod_authz_ldap can't find the user in ldap1, it will continue with ldap2. It doesn't include the failover feature (ldap1 must be running and working fine)?


I'm far from beaing a specialist for LDAP but according to the mod_authnz_ldap docs you have to specify the failover LDAP server in the AuthLDAPUrl Directive like this

AuthLDAPURL "ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius"

Edit: Clarification

You cannot set different filters for the failovers. A failover has to be a mirror of the primary server to serve the same data.


What Christopher Perrin said, but also the default timeout is ten seconds, which you may want to shorten to five seconds so you 'fail fast' and people get a response back quicker.

TCP takes a couple seconds to detect lost network packets and re-transmit. Never set a timeout below 5 seconds or it might drop working connections erratically.

In a worldwide environment, say the web server is in an Asia branch but the LDAP is in the Europe headquarter, consider raising the timeout to 15 seconds.

Related

Basic DNSSEC configuration under BIND 9.7?
rsyslog not logging messages
Configure anonymous authentication to use app pool identity for a specific site
how to make rsync not uncompressing files?
Linux: How to align partition and file system on hardware RAID
Can there be a circonflex on a "w" in Welsh? [closed]
What are milder alternatives to the word 'epidemic'?
Smart work/work smart/work remotely
What is this type of sign called in English?
Meaning of "we leave at eight thirty for nine"
"Messing up" a setting/tuning?
Is the expression "do not bother" polite?