Feature #9216
openSupport of multiple LDAP servers for authorization
0%
Description
Good day!
We have ability to define multiple LDAP servers, but we can choose only one of them for users autorization. The problem is, when definded LDAP server goes down, we should change it's IP-address (or chnage all users settings to use another (live) server). It would be great if we will be able to set multiple LDAP servers to try for each user, so if one of them goes down, redmain was able to fallback to another server w/o admin intervention.
Thanks.
Files
Updated by Etienne Massip over 13 years ago
IMHO this is something you would better solve by upgrading your network configuration; e.g. you could setup some failover mechanism on your LDAP server (you can have a look to this thread).
Updated by Thomas Ihme over 12 years ago
We are going to provide more than one address for LDAP authentication to have a fail-over behaviour. It would be nice to have the ability to set multiple LDAP hosts for one LDAP configuration, so fail-over takes place in case one server is down.
Updated by Ruslan Mahmatkhanov over 12 years ago
That is a great news. Looking forward to this feature implemented. Thank you!
Updated by Julian Faude over 11 years ago
- File auth_ldap_failover.patch auth_ldap_failover.patch added
I ran into the exact same problem. I intuitively tried to provide multiple ldap servers for automatic failover because that's what I'm used to when it comes to pam_ldap and so on. This obviously failed. Although I find a local load balancer like HAProxy interesting I take a shot at implementing this 'try one after another'-approach directly into redmine.
I attached a patch against r11979. It allows to provide multiple ldap hosts in host(s) input separated by comma. On initialize_ldap_con it runs through list and tries to find an entry which allows a successful connection. In case it succeeds it return Net::Ldap instance. In case it fails it raises AuthSourceException with message from attempt to connect to first ldap host in list. However I am not sure if that last point makes to much sence since the fail messages from all attempts might be interesting. Hope that helps!
Updated by Michal Kalwig about 8 years ago
Updated by Nico Schottelius almost 6 years ago
Hello redmine developers,
I have just ran into the issue with redmine-4. The problem is that "the whole world" uses ldap server LISTS - i.e. pam, sssd, various libraries.
So while it is technically possible to use haproxy in tcp mode, it is very uncommon.
Thus I was wondering if you can consider to implement this feature?
Updated by Maximilian Eschenbacher over 5 years ago
Hey,
we just run into the same issue. It is possible to add several LDAP authentication methods but only the first one will be chosen, ignoring the others.
Regards,
Max
Updated by Matthias Witt about 1 year ago
Hello
When you use an Active Directory, the ADDC Server have an entry with his IP address in the DNS Server as domain name.
That means, you can use, by a working DNS structure, the domain name as hostname.
If one server fail, the redmine become the second server from the DNS.
The DNS server if normaly configure whit RoundRobin.
The authentification at a failed server can be longer as normal. The DNS translate the name to the IP even if the server are not reachable.
Runnel
Updated by Gilles Van Vlasselaer 7 months ago
Any update on this? Fail-over to the next definied server is default behavior in other applications, learned out the hard way this morning in our company that it isn't for Redmine.
Regards,
Gilles