Suggestion about Idp ldap configuration

Peter Schober peter.schober at
Fri Nov 23 08:03:12 EST 2018

* Monica Petrella <petrella at> [2018-11-20 09:37]:
> The problem arise when one of the two ldap server is, for example,
> unavailable.

That should never happen. Well, of course, server outages happen, but
replicating LDAP servers should be easy and cheap (unless you're stuck
on some broken platform) and putting a loadbalancer of some kind
before those serbers let's you keep the *service* always available
(assuming you have a sufficient number of severs that can handle the
load also if one or maybe two others go down) even if individual
servers go down.

> When it occurs , if a user that is located into the working ldap
> server tries to authenticate itself through idp, it doesn't work and
> it receives an error message like "Pool is empty and connection
> creation failed".

Each of the DataConnectors can be configured as optional, essentially,
by adding a Failover data connector to it and making that other
dailover data connector a "null" one, for example. Or use other
combinations with the Failover method.
But with 2 LDAP servers the chance of the subject needing the one
server that's down is still 50%, so that doesn't give you much.

> is it possible to configure idp whith more than one ldap, each
> different from the other one, in order to handle the user's
> authentication against the other working ldap servers, even if one
> ldap server wouldn't have been available?

Not sure I understand. If only one LDAP server will work for any given
subject then you can't have that server ever go down or things will
break for everyone on that server?
If any one of multiple LDAP servers would work for all subjects the
best way to avoid these issues is by adding a loadbalancer to the mix.

Feel free to elaborate in case I did not understand your issue properly.


More information about the users mailing list