Multiple LDAP servers with mod_authn_alias: failover not working when the first LDAP is down?
- by quanta
I've been trying to setup redundant LDAP servers with Apache 2.2.3.
/etc/httpd/conf.d/authn_alias.conf
<AuthnProviderAlias ldap master>
AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
<AuthnProviderAlias ldap slave>
AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>
/etc/httpd/conf.d/authz_ldap.conf
#
# mod_authz_ldap can be used to implement access control and
# authenticate users against an LDAP database.
#
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
<Location />
AuthBasicProvider master slave
AuthzLDAPAuthoritative Off
AuthType Basic
AuthName "Authorization required"
AuthzLDAPMemberKey member
AuthUserFile /home/setup/svn/auth-conf
AuthzLDAPSetGroupAuth user
require valid-user
AuthzLDAPLogLevel error
</Location>
</IfModule>
If I understand correctly, mod_authz_ldap will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.
But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log shows:
[11061] auth_ldap authenticate: user quanta authentication failed;
URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
Did I misunderstand? AuthBasicProvider ldap1 ldap2 only means that if mod_authz_ldap can't find the user in ldap1, it will continue with ldap2. It doesn't include the failover feature (ldap1 must be running and working fine)?
