Multiple ldapURL values in

Daniel Fisher dfisher at
Tue Jun 21 13:02:19 UTC 2022

On Mon, Jun 20, 2022 at 2:55 PM Steven Teixeira <steixeira at>

> We recently changed our idp.authn.LDAP.ldapURL value from a single DNS
> round robin entry to multiple servers, separated by space.  As below:
> idp.authn.LDAP.ldapURL = ldaps:// ldaps://
> ldaps:// ldaps://
> idp.attribute.resolver.LDAP.ldapURL is set as below:
> idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
> During testing of this change, the failover behavior was as expected.
> Authentication was immediate when server1 was up.  After powering down
> server1, authentication took 3 seconds longer(the timeout value).  After
> powering down server2, with server 1 still powered off, authentication took
> 6 seconds longer(3 seconds per server).  This continued through server 4.
> So we believed this to be working.  However, last week, it became clear
> that authentication was happening primarily on server4, the last entry in
> the space delimited list.  Further, when server4 was unreachable, the IdP
> didn’t even try to authenticate against any of the other LDAP servers
> listed.
> The lines for idp.authn.LDAP.connectionStrategy and
> idp.attribute.resolver.LDAP.connectionStrategy are as follows:
> #idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE
> idp.attribute.resolver.LDAP.connectionStrategy =
> %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}
> So, our impression is that ACTIVE_PASSIVE is the current setting since it
> should be the default value.  Has anyone else run into behavior like this,
> or did I just miss something obvious?

What version of the IDP are you running? There was a bug that caused that
behavior if no connectionStrategy was configured. Explicitly setting
`idp.authn.LDAP.connectionStrategy` or running the latest version of the
IDP should fix this issue.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list