LDAP connector with multiple servers
Jarno Huuskonen
jarno.huuskonen at uef.fi
Thu Feb 11 12:19:25 UTC 2021
Hi,
On Thu, 2021-02-11 at 12:10 +0000, Joseph Fischetti wrote:
> Hi all,
> In the past we’ve configured our ldap.properties and ldap data connector
> with multiple servers in a space separated list (as outlined in the
> documentation here [1]). Failover order hasn’t been tested since we were
> on V3, and we updated to V4 sometime last summer.
>
> This morning during maintenance we noticed that there was no failover
> occurring. I also noticed that on start, the idp was connecting to the
> last one in the list by default (though I seem to remember it starting
> with the first one, in the past).
>
> For example:
> idp.authn.LDAP.ldapURL = ldap://ldap1.domain ldap://ldap2.domain
> ldap://ldap3.domain
>
> Shib was only connecting to ldap3.domain.
>
> When forcing ldap3.domain down, netstat showed 0 connections and shib
> displayed a “pool is empty” error on the login page.
>
> Is there something I missed during the V4 upgrade that needs to be
> specified now? I see that the DEFAULT in the connectionStrategy has
> changed (though the ACTIVE_PASSIVE operation is ‘default’ and that’s what
> we desire)
See
https://shibboleth.1660669.n2.nabble.com/IdP-4-0-1-and-ldap-UnboundID-connectionStrategy-td7648536.html#none
and
https://issues.shibboleth.net/jira/browse/IDP-1710
and https://shibboleth.1660669.n2.nabble.com/LDAP-Url-failover-Issue-with-
UnboundID-V4-td7647919.html
TL;DR: multiple authn ldapURL doesn't really work with unboundID.
-Jarno
--
Jarno Huuskonen
More information about the users
mailing list