Support of multiple LDAP servers for authorization
We have ability to define multiple LDAP servers, but we can choose only one of them for users autorization. The problem is, when definded LDAP server goes down, we should change it's IP-address (or chnage all users settings to use another (live) server). It would be great if we will be able to set multiple LDAP servers to try for each user, so if one of them goes down, redmain was able to fallback to another server w/o admin intervention.
Updated by Etienne Massip over 11 years ago
IMHO this is something you would better solve by upgrading your network configuration; e.g. you could setup some failover mechanism on your LDAP server (you can have a look to this thread).
Updated by Thomas Ihme over 10 years ago
We are going to provide more than one address for LDAP authentication to have a fail-over behaviour. It would be nice to have the ability to set multiple LDAP hosts for one LDAP configuration, so fail-over takes place in case one server is down.
Updated by Ruslan Mahmatkhanov over 10 years ago
That is a great news. Looking forward to this feature implemented. Thank you!
Updated by Julian Faude almost 10 years ago
- File auth_ldap_failover.patch auth_ldap_failover.patch added
I ran into the exact same problem. I intuitively tried to provide multiple ldap servers for automatic failover because that's what I'm used to when it comes to pam_ldap and so on. This obviously failed. Although I find a local load balancer like HAProxy interesting I take a shot at implementing this 'try one after another'-approach directly into redmine.
I attached a patch against r11979. It allows to provide multiple ldap hosts in host(s) input separated by comma. On initialize_ldap_con it runs through list and tries to find an entry which allows a successful connection. In case it succeeds it return Net::Ldap instance. In case it fails it raises AuthSourceException with message from attempt to connect to first ldap host in list. However I am not sure if that last point makes to much sence since the fail messages from all attempts might be interesting. Hope that helps!
Updated by Dmitry Shumilin over 6 years ago
Updated by Michal Kalwig over 6 years ago
Updated by Nico Schottelius over 4 years ago
Hello redmine developers,
I have just ran into the issue with redmine-4. The problem is that "the whole world" uses ldap server LISTS - i.e. pam, sssd, various libraries.
So while it is technically possible to use haproxy in tcp mode, it is very uncommon.
Thus I was wondering if you can consider to implement this feature?
Updated by Maximilian Eschenbacher almost 4 years ago
we just run into the same issue. It is possible to add several LDAP authentication methods but only the first one will be chosen, ignoring the others.