AuthBasicProvider: failover not working when the first LDAP is down?

Posted by quanta on Server Fault See other posts from Server Fault or by quanta
Published on 2012-06-26T09:11:12Z Indexed on 2012/06/26 9:17 UTC
Read the original article Hit count: 426

Filed under:

apache2

|

openldap

|

failover

|

mod-authn-alias

|

mod-authz-ldap

I've been trying to setup redundant LDAP servers with Apache 2.2.3.

/etc/httpd/conf.d/authn_alias.conf

<AuthnProviderAlias ldap master>
    AuthLDAPURL ldap://192.168.5.148:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

<AuthnProviderAlias ldap slave>
    AuthLDAPURL ldap://192.168.5.199:389/dc=domain,dc=vn?cn
    AuthLDAPBindDN cn=anonymous,ou=it,dc=domain,dc=vn
    AuthLDAPBindPassword pa$$w0rd
</AuthnProviderAlias>

/etc/httpd/conf.d/authz_ldap.conf

#
# mod_authz_ldap can be used to implement access control and 
# authenticate users against an LDAP database.
# 

LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>
   <Location />
        AuthBasicProvider master slave
        AuthzLDAPAuthoritative Off
        AuthType Basic
        AuthName "Authorization required"

        AuthzLDAPMemberKey      member
        AuthUserFile /home/setup/svn/auth-conf
        AuthzLDAPSetGroupAuth   user
        require valid-user
        AuthzLDAPLogLevel       error
   </Location>
</IfModule>

If I understand correctly, mod_authz_ldap will try to search users in the second LDAP if the first server is down or OpenLDAP on it is not running.

But in practice, it does not happen. Tested by stopping LDAP on the master, I get the "500 Internal Server Error" when accessing to the Subversion repository. The error_log shows:

[11061] auth_ldap authenticate: user quanta authentication failed; URI / [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]

Did I misunderstand?

Developer IT