How to configure multiple LDAP server hosts in Apache versions 2.2 and greater.
In Apache v2.0, you could define multiple LDAP servers within a single AuthLDAPURL directive, with the host names separated by spaces, like so:
AuthLDAPURL "ldap://server1.com server2.com server3.com/dc=your-org,dc=com"
In Apache v2.2, you may find this syntax to be rendered broken (not always, as I’ve found), and you could end up with LDAP connection type error message (which isn’t very helpful or indicative of the actual problem):
Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS
In order to get redundancy and fail-over for multiple LDAP servers (or, really, any Apache-related service) working in these cases, you’ll also need to activate the mod_authn_alias module. Luckily, this is usually included by default with Apache; otherwise you’ll need to compile it in, install it via system package, or get it installed however you install your Apache modules. You can check for the existence of the this module on your system with the following apachectl command:
apachectl -t -D DUMP_MODULES
In your configuration, there are two steps to this syntax: one to define an alias for each of your servers (‘AuthnProviderAlias‘), and a definition of which aliases to include in the list of providers for that service (‘AuthBasicProvider‘). For example, to define and use two LDAP servers, outside of any virtual host definitions:
<AuthnProviderAlias ldap ldap1> AuthLDAPURL ldap://my.01.ldap.server/dc=something,dc=com </AuthnProviderAlias> <AuthnProviderAlias ldap ldap2> AuthLDAPURL ldap://my.02.ldap.server/dc=something,dc=com </AuthnProviderAlias>
Then within your Location or Directory to be served by LDAP, define the provider including the two aliases you’ve just created:
AuthBasicProvider ldap1 ldap2
For more information, see the Apache online documentation for the mod_authn_core and mod_auth_basic modules.
Two things of note here: with further testing, I have been able to get the old `AuthLDAPURL` syntax to work on some systems, though not all, which means it may not be necessary for others to make any changes. A quick syntax check (`apachectl -S`) should reveal any potential problems.
Also, I’m not able to use the “new” service alias syntax in all cases, as it relies on the assumption that BasicAuth is used; on some systems, we’re using an odd combination of Webauth/Kerberos for authentication, and LDAP for authorization, so a `AuthBasicProvider` definition would be ineffective in that environment.
Thanks for your writeup!
However, I ran into the following issue using Ubuntu 12.04 LTS with Apache/2.2.22.
Assuming the following configuration (taken from your example):
AuthBasicProvider ldap1 ldap2
When ldap1 is down, the authentication process does not go on to try ldap2. In the Apache error.log, I can see that the server just gives up after some tries for ldap1, basically saying that the host is not reachable. It does not query ldap2.
Have you encountered such an issue as well?
Hi schlurpie,
It was my hope that something had changed in the upgrade of Apache to 2.4, but aside from the fact that you’re using 2.2, the syntax for this seems to have remained exactly the same in 2.4; see:
http://httpd.apache.org/docs/current/mod/mod_authn_core.html
Have you tried possibly reversing the order of the aliases, to ensure both are reachable and usable?
i need to use 2 ldap server to authenticate.
I try your example, it doesnt work.
Do you have an actually solution?