httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stijn Jonker <sjon...@upcbroadband.com>
Subject [users@httpd] Apache 2.2.3 & mod_authnz_ldap & failover
Date Thu, 22 Nov 2007 07:55:48 GMT
Hello,

We are currently integrating several apache instances with LDAP for
authentication, this works wonderfull for one exception and that is LDAP
failover.  If the primary LDAP server is not available the failover/switch
towards the second entry in the config only happens after minutes. 

Our testing platform runs Centos 5, and has the following versions/apps
installed: httpd-2.2.3-7, openldap-2.3.27-5, openssl-0.9.8b-8.3

It was tested with and without ssl (over 636/tcp) and starttls (via 389/tcp) and
plain (over 389/tcp) none of these performed a successfull/quick failover. The
end goal would be either ssl or starttls based ldap connectivity.

The preference would be to failover if there is no 3 way tcp handshake after 2
seconds or an query is not returned within 2 seconds.

We tried lowering the apache "timeout" option, and attempted .ldaprc and
environment variables voor openldap:
LDAPNETWORK_TIMEOUT="2"
LDAPTIMEOUT="2"
LDAPTLS_CACERTDIR="/etc/SSL/CA"

Any suggestions how to proceed?

Test Configuration failover ldap:
---------------------------------
# LDAP Test SJC
LDAPSharedCacheSize 200000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPConnectionTimeout 2
LDAPTrustedGlobalCert CA_BASE64 /etc/httpd/SSL/CA.pem
LDAPVerifyServerCert on

<Location /ldap-status>
        SetHandler ldap-status
        Order deny,allow
        Deny from all
        Allow from 10.0.0.0/23
        AuthName "LDAP Status"
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPURL "ldap://192.168.1.40
172.16.1.40/ou=People,ou=Users,o=Corp?cn?sub" STARTTLS
        AuthLDAPBindDN "cn=Apache01,ou=ServiceAccounts,ou=Users,o=Corp"
        AuthLDAPBindPassword "<<REMOVED>>"
        Require valid-user
</Location>
# End of LDAP Test SJC

Thanks in advance,
Stijn


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message