httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ricardo Stella <>
Subject Re: [users@httpd] Multiple LDAP servers in mod_auth_ldap
Date Wed, 15 Mar 2006 15:16:26 GMT

Apache 2.0 doesn't work quite well for this as when it's linked with
openldap, it does not provide a 'timeout' option, therefore if one of
the ldap servers is down, it'll take forever to switch to the next one.

The netscape libs have that ability but it didn't quite work and require
another small patch.

Also, on 2.0.54 the code was locked to only complile with openldap
regardless...  There's a bug reported, but I believe this part was fixed
in 2.0.55.  The netscape libs ability to provide timeout values was not.

Now, 2.2.0 does work in the way it should straight out of the box which
is good.

Another option I've been toying with is a small load balancer such as pen.

Oh, and there were issues with not properly escaping spaces, if your
basedn included them (like in X500 format).

Since you will need to recompile regardless, I'd say you give 2.2.0 a try...

My .02...

Steve Nisbet wrote:
> Hi folks,
> I have been using mod_auth_ldap in Apache 2.0 for some time, and apart from
> falling over every now and then it functions fine. However, we have a number of
> LDAP servers and I wanted a bit of resillience for authentication.
> I noted that in the manual for mod_auth_ldap it is suggested that a number of
> hosts can be specified, separated by spaces.
> Heres the quote from the manual,
> host:port
>     The name/port of the ldap server (defaults to localhost:389 for ldap, and
> localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list
> all servers, separated by spaces. mod_auth_ldap will try connecting to each
> server in turn, until it makes a successful connection.
> My problem is that this is very vague, I have spent some time trying all sorts
> of cominations of the server URL to no avail.
> Anybody got a working example of multi-host LDAP?
> thanks in advance
> Steve Nisbet
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:> for more info.
> To unsubscribe, e-mail:
>    "   from the digest:
> For additional commands, e-mail:



View raw message