Multiple ldap servers

[kai1074]

Hello, are you planning to support multiple ldap server redundancy in order to improve reliability? Something like auth required pam_yubico.so mode=client try_first_pass \ id=3 \ verbose_otp \ key=dcvEzJnnTwCCKLNkNEPEnRh2Fis= \ ldap_uri1=ldap:// ldapdn1= \ binddn1= \ bindwp1=\ ldap_uri2=ldap:// ldapdn2= \ binddn2= \ bindwp2=\ urllist= \ user_attr=uid \ yubi_attr=yubiKeyId

That would be very nice!

TIA, Stefano

[klali]

Currently no plans to support that. We might be interested in merging patches if it can be implemented in a clean way (and preferably showing other projects successfully implementing something similar).

/klas

[mabels]

i would do that, by using the ldap_uri and enable it to read a url that looks like this:

ldap://user:pass@host:port/dn,ldap://user:pass@host:port/dn

i will added this after the merge-:) of my monster pull

https://github.com/Yubico/yubico-pam/pull/44

[exeba]

Dovecot allows multiple uris for ldap passdb and userdb lookups, I've briefly looked over their code and it seems that part of that is already supported in openldap library. With the current pam module I can already specify multiple uris separated by comma and the servers will be queried in order, returning the first response. The annoying thing is that if the first server is down, I'll have to wait for the connection timeout before having a response from the others. Basically the missing part here is a smart way to detect a failing server.

[exeba]

I confirm that setting a connection timeout of 1 second via LDAP_OPT_NETWORK_TIMEOUT allows for faster switch in case of unavailable server.

It's still not optimal but way better than the current behaviour. If you are interested in this, I'm willing to create a pull request to include this option into the module (maybe called ldap_connection_timeout?)

[klali]

That sounds OK for me @exeba I can review and merge something like that.