Project

General

Profile

Actions

Feature #9216

open

Support of multiple LDAP servers for authorization

Added by Ruslan Mahmatkhanov about 13 years ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
LDAP
Target version:
-
Start date:
2011-09-09
Due date:
% Done:

0%

Estimated time:
Resolution:

Description

Good day!

We have ability to define multiple LDAP servers, but we can choose only one of them for users autorization. The problem is, when definded LDAP server goes down, we should change it's IP-address (or chnage all users settings to use another (live) server). It would be great if we will be able to set multiple LDAP servers to try for each user, so if one of them goes down, redmain was able to fallback to another server w/o admin intervention.
Thanks.


Files

auth_ldap_failover.patch (24.5 KB) auth_ldap_failover.patch Julian Faude, 2013-06-19 01:07
Actions #1

Updated by Etienne Massip about 13 years ago

IMHO this is something you would better solve by upgrading your network configuration; e.g. you could setup some failover mechanism on your LDAP server (you can have a look to this thread).

Actions #2

Updated by Thomas Ihme over 12 years ago

We are going to provide more than one address for LDAP authentication to have a fail-over behaviour. It would be nice to have the ability to set multiple LDAP hosts for one LDAP configuration, so fail-over takes place in case one server is down.

Actions #3

Updated by Ruslan Mahmatkhanov over 12 years ago

That is a great news. Looking forward to this feature implemented. Thank you!

Actions #4

Updated by Julian Faude over 11 years ago

I ran into the exact same problem. I intuitively tried to provide multiple ldap servers for automatic failover because that's what I'm used to when it comes to pam_ldap and so on. This obviously failed. Although I find a local load balancer like HAProxy interesting I take a shot at implementing this 'try one after another'-approach directly into redmine.

I attached a patch against r11979. It allows to provide multiple ldap hosts in host(s) input separated by comma. On initialize_ldap_con it runs through list and tries to find an entry which allows a successful connection. In case it succeeds it return Net::Ldap instance. In case it fails it raises AuthSourceException with message from attempt to connect to first ldap host in list. However I am not sure if that last point makes to much sence since the fail messages from all attempts might be interesting. Hope that helps!

Actions #6

Updated by Michal Kalwig about 8 years ago

Dmitry Shumilin wrote:

#11967 #23973

Hello!

This feature is needed but not working with Redmine 3.3.1. Can somebody update this thread?

Thanks!

Actions #7

Updated by Nico Schottelius almost 6 years ago

Hello redmine developers,

I have just ran into the issue with redmine-4. The problem is that "the whole world" uses ldap server LISTS - i.e. pam, sssd, various libraries.

So while it is technically possible to use haproxy in tcp mode, it is very uncommon.

Thus I was wondering if you can consider to implement this feature?

Actions #8

Updated by Maximilian Eschenbacher over 5 years ago

Hey,

we just run into the same issue. It is possible to add several LDAP authentication methods but only the first one will be chosen, ignoring the others.

Regards,

Max

Actions #9

Updated by Matthias Witt about 1 year ago

Hello

When you use an Active Directory, the ADDC Server have an entry with his IP address in the DNS Server as domain name.
That means, you can use, by a working DNS structure, the domain name as hostname.

If one server fail, the redmine become the second server from the DNS.
The DNS server if normaly configure whit RoundRobin.
The authentification at a failed server can be longer as normal. The DNS translate the name to the IP even if the server are not reachable.

Runnel

Actions #10

Updated by Gilles Van Vlasselaer 6 months ago

Any update on this? Fail-over to the next definied server is default behavior in other applications, learned out the hard way this morning in our company that it isn't for Redmine.

Regards,
Gilles

Actions

Also available in: Atom PDF