Secondary redundant server option

[antoniolago]

Is your feature request related to a problem? Please describe. We want to mirror our Domain Controller/Active Directory into a cloud provider and have 2 working servers, one home at our datacenter the other in Oracle's OKE. This library only supports 1 server configured.

What is the solution you envision? I want to be able to configure both servers in a redundant way, when one fails, the other takeover

Are there alternative solutions? Maybe proxy externally via nginx or something.

Is there a workaround? No.

Maybe LdapConfiguration can be a list or something

"LdapConfiguration": 
 [
  {
          "Server": "dc.your-domain.de",
          "SearchBases": { "DC=your-domain,DC=de": "Subtree" },
          "Schema": "Active Directory",
          "IsRecursiveGroupMembership": true,
          "Port": 636,
          "IsSsl": true,
          "IsNoCertificateCheck": true
   }.
   {
          "Server": "dc.your-secondary-domain.de",
          "SearchBases": { "DC=your-domain,DC=de": "Subtree" },
          "Schema": "Active Directory",
          "IsRecursiveGroupMembership": true,
          "Port": 636,
          "IsSsl": true,
          "IsNoCertificateCheck": true
      }
]

[crowbar27]

I see the benefits of the feature as we operate multiple servers as well, but I cannot promise a quick solution for that as I have limited time atm and the group mapping needs to be rewritten first. Nevertheless, what would be the behaviour you envision: (i) should the servers be load balanced round robin or (ii) should it be a fallback once the first server in the list is timing out. If it would be a fallback solution, should a failing server be blacklisted for subsequent requests (that would be reasonable as timing out on a server that is known to be bad for each request is not reasonable imo) and if so, when would a fail back occur?

And another question: In your suggested configuration change, you have a per-server search base? Would that be really necessary and what would be the scenario for that (same for schema and recursive flag)? Wouldn't it be more realistic that this is the same for all servers (as they are mirrored)?

[antoniolago]

Hello, thanks for the fast response, I see both scenarios (i and ii) as valid in their own purposes, in our case I think fallback would be more appropriate as we only want to use secondary if the primary is offline (bc of power outages in our datacenter or something). As for the blocklist It's an appropriate behavior to block if offline (maybe 1 or 2 tries) and after a while try to reach the primary again, check if it's online and remove from blocklist if that's the case. I don't think configuring search base more than once is necessary, that's a good point.

I totally understand that this feature will not be implemented soon, it looks complex and we are just planning our next moves, not necessarily mirroring the Domain Contrller in cloud right now, but it's good to know this library is being constantly maintained. Keep up the good work, thanks.

[crowbar27]

A quick update on that: As I have Visus.DirectoryAuthentication in production on Linux as well, I will prepare v2 which will consolidate both libraries and also introduce breaking changes. Multiple servers will be supported in 2.x, but not in the backward-compatible 1.x.

[antoniolago]

That's great!!! thanks for the update.

[crowbar27]

You can try the new version now from main. I still need to update the docs though.

[crowbar27]

Available in Nuget prerelease package 2.0.0-pre1

[antoniolago]

That's awesome!

As soon as I can (which can be some months due to business priorities) I will test it and let you know =)