search

Monogramm / taiga-contrib-ldap-auth-ext

:snake: :alembic: Extended Taiga plugin for LDAP authentication
http://taiga.io
GNU Affero General Public License v3.0
45 stars 15 forks source link

Multiple LDAP Server Array #16

Open benyanke opened 6 years ago

benyanke commented 6 years ago

Currently it seems only one LDAP server is allowed.

Would love to see an implementation which would allow multiples, for HA. Perhaps a CSV list would then be tried if one didn't respond.

madmath03 commented 6 years ago

Indeed, the plugin currently allows one LDAP server.

Regarding your use case, I would say having one single address for your LDAP cluster seems better and would solve your issue. Your cluster would replicate operations between a master and slave(s) and use a load balancer.

But, I definitely am no expert in HA configuration, especially when it comes to LDAP clusters. Plus, several other LDAP authentication systems allow this, so I do not see why we should prevent Taiga to have the same feature.

I do not have much free time to work on taiga ldap auth since it already meets our company requirements but we will gladly support and accept any help provided to improve it further 😉

benyanke commented 6 years ago

In most situations, I see LDAP handled like DNS, where there are typically 2 logical endpoints, those endpoints being serviced by, of course, as many actual servers as the uptime requirements demand. I know in my company, we have two on-prem domain controllers, and most of the ones I've worked with have done the same. I know the other tools I have used all allow multiple LDAP servers, so I agree it's a useful feature.

It's obviously not super high on my list, but I will try and get this implemented in a PR when I'm able!

stale[bot] commented 5 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

benyanke commented 5 years ago

While this isn't a resolution of the issue, and I'd love to see an array of servers supported w/ proper fallback procedure (as most enterprise LDAP apps have), this can be somewhat worked around via DNS, which is what I'm doing for the time being - point the LDAP server at the DNS name which points to both servers.

The downside is that the app doesn't automatically retry if one of the two is down, leading to half the requests failing. However, it's better than hardcoding to a single one.

Just posting this for those who may need the same thing, and want a workaround for now.