LDAP connector with multiple servers

Jarno Huuskonen jarno.huuskonen at uef.fi
Thu Feb 11 12:19:25 UTC 2021


Hi,

On Thu, 2021-02-11 at 12:10 +0000, Joseph Fischetti wrote:
> Hi all,
> In the past we’ve configured our ldap.properties and ldap data connector
> with multiple servers in a space separated list (as outlined in the
> documentation here [1]).  Failover order hasn’t been tested since we were
> on V3, and we updated to V4 sometime last summer.
> 
> This morning during maintenance we noticed that there was no failover
> occurring.  I also noticed that on start, the idp was connecting to the
> last one in the list by default (though I seem to remember it starting
> with the first one, in the past).
> 
> For example:
> idp.authn.LDAP.ldapURL   = ldap://ldap1.domain ldap://ldap2.domain
> ldap://ldap3.domain
> 
> Shib was only connecting to ldap3.domain.
> 
> When forcing ldap3.domain down, netstat showed 0 connections and shib
> displayed a “pool is empty” error on the login page.
> 
> Is there something I missed during the V4 upgrade that needs to be
> specified now?  I see that the DEFAULT in the connectionStrategy has
> changed (though the ACTIVE_PASSIVE operation is ‘default’ and that’s what
> we desire)

See
https://shibboleth.1660669.n2.nabble.com/IdP-4-0-1-and-ldap-UnboundID-connectionStrategy-td7648536.html#none
and
https://issues.shibboleth.net/jira/browse/IDP-1710
and https://shibboleth.1660669.n2.nabble.com/LDAP-Url-failover-Issue-with-
UnboundID-V4-td7647919.html

TL;DR: multiple authn ldapURL doesn't really work with unboundID.

-Jarno

-- 
Jarno Huuskonen


More information about the users mailing list