Redundant LDAP servers in Apache

How to configure multiple LDAP server hosts in Apache versions 2.2 and greater.

The Apache HTTP Project

In Apache v2.0, you could define multiple LDAP servers within a single AuthLDAPURL directive, with the host names separated by spaces, like so:

AuthLDAPURL "ldap://,dc=com"

In Apache v2.2, you may find this syntax to be rendered broken (not always, as I’ve found), and you could end up with LDAP connection type error message (which isn’t very helpful or indicative of the actual problem):

Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS

In order to get redundancy and fail-over for multiple LDAP servers (or, really, any Apache-related service) working in these cases, you’ll also need to activate the mod_authn_alias module.  Luckily, this is usually included by default with Apache; otherwise you’ll need to compile it in, install it via system package, or get it installed however you install your Apache modules.  You can check for the existence of the this module on your system with the following apachectl command:

apachectl -t -D DUMP_MODULES

In your configuration, there are two steps to this syntax: one to define an alias for each of your servers (‘AuthnProviderAlias‘), and a definition of which aliases to include in the list of providers for that service (‘AuthBasicProvider‘).  For example, to define and use two LDAP servers, outside of any virtual host definitions:

<AuthnProviderAlias ldap ldap1>
 AuthLDAPURL ldap://my.01.ldap.server/dc=something,dc=com
<AuthnProviderAlias ldap ldap2>
 AuthLDAPURL ldap://my.02.ldap.server/dc=something,dc=com

Then within your Location or Directory to be served by LDAP, define the provider including the two aliases you’ve just created:

AuthBasicProvider ldap1 ldap2

For more information, see the Apache online documentation  for the mod_authn_core and mod_auth_basic modules.


3 thoughts on “Redundant LDAP servers in Apache

  1. Two things of note here: with further testing, I have been able to get the old `AuthLDAPURL` syntax to work on some systems, though not all, which means it may not be necessary for others to make any changes. A quick syntax check (`apachectl -S`) should reveal any potential problems.

    Also, I’m not able to use the “new” service alias syntax in all cases, as it relies on the assumption that BasicAuth is used; on some systems, we’re using an odd combination of Webauth/Kerberos for authentication, and LDAP for authorization, so a `AuthBasicProvider` definition would be ineffective in that environment.

  2. Thanks for your writeup!

    However, I ran into the following issue using Ubuntu 12.04 LTS with Apache/2.2.22.

    Assuming the following configuration (taken from your example):
    AuthBasicProvider ldap1 ldap2

    When ldap1 is down, the authentication process does not go on to try ldap2. In the Apache error.log, I can see that the server just gives up after some tries for ldap1, basically saying that the host is not reachable. It does not query ldap2.

    Have you encountered such an issue as well?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s