Redundant LDAP servers in Apache 2.2

How to configure multiple LDAP server hosts in Apache version 2.2.

In Apache v2.0, you could define multiple LDAP servers within a single AuthLDAPURL directive, with the host names separated by spaces, like so:

AuthLDAPURL "ldap://server1.com server2.com server3.com/dc=your-org,dc=com"

In Apache v2.2, you may find this syntax to be rendered broken (not always, as I’ve found), and you could end up with LDAP connection type error message (which isn’t very helpful or indicative of the actual problem):

Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS

In order to get redundancy and fail-over for multiple LDAP servers (or, really, any Apache-related service) working in these cases, you’ll also need to activate the mod_authn_alias module.  Luckily, this is usually included by default with Apache; otherwise you’ll need to compile it in, install it via system package, or get it installed however you install your Apache modules.  You can check for the existence of the this module on your system with the following apachectl command:

apachectl -t -D DUMP_MODULES

In your configuration, there are two steps to this syntax: one to define an alias for each of your servers (‘AuthnProviderAlias‘), and a definition of which aliases to include in the list of providers for that service (‘AuthBasicProvider‘).  For example, to define and use two LDAP servers, outside of any virtual host definitions:

<AuthnProviderAlias ldap ldap1>
 AuthLDAPURL ldap://my.01.ldap.server/dc=something,dc=com
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap2>
 AuthLDAPURL ldap://my.02.ldap.server/dc=something,dc=com
</AuthnProviderAlias>

Then within your Location or Directory to be served by LDAP, define the provider including the two aliases you’ve just created:

AuthBasicProvider ldap1 ldap2

For more information, see the Apache 2.2 online documentation.

Advertisement