Hi Marek,
On 11/18/2016 09:58 PM, Marek Posolda wrote:
+1 . Never use h2 in production.
ok, duly noted, thanks both.
For LDAP, we didn't yet try to test the configuration like this.
What we
do is, that the configured "Connection URL" is used as the property
"java.naming.provider.url" of the LDAP InitialContext. So if that is
supported by Java OOTB, then it works. Otherwise probably not. You can
doublecheck and possibly create JIRA with the example URLs of your AD DCs.
Ok, reading this:
http://stackoverflow.com/questions/40218516/a-way-to-define-implement-fai...
make me think that we should be able to provide multiple ldap servers,
space seperated.
Trying this:
Connection URL #1:
ldaps://nonexistant-dns.company.com:636 ldaps://ldap.company.com:636
Result: connection OK, authentication OK
(It ignores the non-existant URL, and talks to the second URL)
Connection URL #2:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from
ldap1.company.com
Result: timeout in the logs, and connection does NOT work
Connection URL #3:
ldaps://ldap1.company.com:636 ldaps://ldap2.company.com:636
AND make iptables drop all traffic from
ldap2.company.com
Result: connection OK, authentication OK
My conclusion #1: the field accepts valid and invalid urls, invalid URLs
are silently skipped, and the second (valid) url is checked and
validated. (expected: some error about the first invalid URL)
My conclusion #2: further to coclusion #1, it seems that keycloak is
able to skip URLs, so it should also be able to skip to the next url, if
a server happens to be down, but this does not happen, authentication
not possible, and the check fails. It 'hangs' on the non-responding URL.
For a piece of software so vital for authentication, we feel that
multiple ldap servers (failover) is a must.
So, you you think that this is worth filing 'a JIRA' about?
MJ