[keycloak-user] multiple ldap servers (failover)

[mj]

Hi Marek,

On 11/18/2016 09:58 PM, Marek Posolda wrote:
> +1 . Never use h2 in production.
ok, duly noted, thanks both.

> For LDAP, we didn't yet try to test the configuration like this. What we
> do is, that the configured "Connection URL" is used as the property
> "java.naming.provider.url" of the LDAP InitialContext. So if that is
> supported by Java OOTB, then it works. Otherwise probably not. You can
> doublecheck and possibly create JIRA with the example URLs of your AD DCs.

Ok, reading this: 
http://stackoverflow.com/questions/40218516/a-way-to-define-implement-failover-ldap-servers-in-java-code
make me think that we should be able to provide multiple ldap servers, 
space seperated.

Trying this:
Connection URL #1:
ldaps://nonexistant-dns.company.com:636 ldaps://ldap.company.com:636
Result: connection OK, authentication OK
(It ignores the non-existant URL, and talks to the second URL)

Connection URL #2:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap1.company.com
Result: timeout in the logs, and connection does NOT work

Connection URL #3:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from ldap2.company.com
Result: connection OK, authentication OK

My conclusion #1: the field accepts valid and invalid urls, invalid URLs 
are silently skipped, and the second (valid) url is checked and 
validated. (expected: some error about the first invalid URL)

My conclusion #2: further to coclusion #1, it seems that keycloak is 
able to skip URLs, so it should also be able to skip to the next url, if 
a server happens to be down, but this does not happen, authentication 
not possible, and the check fails. It 'hangs' on the non-responding URL.

For a piece of software so vital for authentication, we feel that 
multiple ldap servers (failover) is a must.

So, you you think that this is worth filing 'a JIRA' about?

MJ