[keycloak-user] multiple ldap servers (failover)
mj
lists at merit.unu.edu
Sat Nov 19 09:22:43 EST 2016
Hi Marek,
On 11/18/2016 09:58 PM, Marek Posolda wrote:
> +1 . Never use h2 in production.
ok, duly noted, thanks both.
> For LDAP, we didn't yet try to test the configuration like this. What we
> do is, that the configured "Connection URL" is used as the property
> "java.naming.provider.url" of the LDAP InitialContext. So if that is
> supported by Java OOTB, then it works. Otherwise probably not. You can
> doublecheck and possibly create JIRA with the example URLs of your AD DCs.
Ok, reading this:
http://stackoverflow.com/questions/40218516/a-way-to-define-implement-failover-ldap-servers-in-java-code
make me think that we should be able to provide multiple ldap servers,
space seperated.
Trying this:
Connection URL #1:
ldaps://nonexistant-dns.company.com:636 ldaps://ldap.company.com:636
Result: connection OK, authentication OK
(It ignores the non-existant URL, and talks to the second URL)
Connection URL #2:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap1.company.com
Result: timeout in the logs, and connection does NOT work
Connection URL #3:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap2.company.com
Result: connection OK, authentication OK
My conclusion #1: the field accepts valid and invalid urls, invalid URLs
are silently skipped, and the second (valid) url is checked and
validated. (expected: some error about the first invalid URL)
My conclusion #2: further to coclusion #1, it seems that keycloak is
able to skip URLs, so it should also be able to skip to the next url, if
a server happens to be down, but this does not happen, authentication
not possible, and the check fails. It 'hangs' on the non-responding URL.
For a piece of software so vital for authentication, we feel that
multiple ldap servers (failover) is a must.
So, you you think that this is worth filing 'a JIRA' about?
MJ
More information about the keycloak-user
mailing list