[Samba] multiple ldap servers

Fri Nov 15 12:31:02 GMT 2002

Nathan Ehresman wrote:

> Andrew Bartlett wrote:
> > "Gerald (Jerry) Carter" wrote:
> >>On Fri, 1 Nov 2002, Nathan Ehresman wrote:
> >>>Hello,
> >>>
> >>>I was looking at the ldap authentication code (in 2.2.5) and it looks
> >>>like there is no support for having multiple ldap servers for
> >>>authentication (ie, if one is not responding, try from a backup).  Does
> >>>anyone have a patch to add this functionality?  If not, I'll go ahead
> >>>and do it but I wanted to check to see if it has already been done first.
> >>
> >>Check the HEAD code.  There may be support in there you can back port.
> > 
> > No such support at present, but in HEAD you can come close by setting up
> > 2 passdb backends.  (This isn't ideal however, beocuse lookups that fail
> > in the first will always go to the second).
> > 
> > Adding such support to HEAD would be very nice - the difficult bit is
> > actually deciding how to construct smb.conf options.
> 
> I've added support for this to my copy of 2.2.5.  I've run it through 
> several tests with different combinations of our ldap servers being up 
> and down during our off hours here to verify it, and it things seem to 
> be working just fine so I thought I'd send you guys a patch if you are 
> interested.
> 
> As far as syntax for the smb.conf options, I just used the existing 
> option ("ldap server") but allowed for multiple hosts to be separated by 
> a space or comma.  This was simple but doesn't take into account the 
> possibility of ldap servers running on different ports.
> 
> Thanks for everything you guys do.
> 
> Nathan Ehresman
> ----
> 

> --- samba-2.2.5/source/passdb/pdb_ldap.c	Fri Nov  1 14:13:39 2002
> +++ samba-2.2.5/source/passdb/pdb_ldap.c	Fri Nov  1 14:34:22 2002
> 

[...]@@ -117,6 +117,9 @@
> +	while (!conn_established && next_token(&ptr, server, ", ", sizeof(server))) {
> +		DEBUG(10,("Initializing connection to %s on port %d\n", server, port ));
> +		if ((*ldap_struct = ldap_init(server, port)) == NULL)
> +			DEBUG(0, ("The LDAP server on %s is not responding !\n", server));
> +		else
> +			conn_established = 1;
> +	}
>  		
> -	if ((*ldap_struct = ldap_init(lp_ldap_server(), port)) == NULL)	{
> -		DEBUG(0, ("The LDAP server is not responding !\n"));
> +	if (!conn_established) {
> +		DEBUG(0, ("None of the specified LDAP servers are responding!\n"));
[...]

Hi Nathan,

it's probably easier than you imagined. ldap_open / lap_init accept
multiple hosts and each with individual port settings as a default
behaviour. See the ldap_open man-page for details. 

----------------
(from man ldap_init)
ldap_open()  takes  host,  the hostname on which the LDAP server is
running, and port, the port number to which to connect.  If the default
IANA-assigned port of 389 is desired, LDAP_PORT should be specified for
port. The host parameter may contain  a  blank-separated  list  of
hosts  to  try to connect to, and each host may optionally by of the
form host:port.  If present, the :port overrides the port parameter to
ldap_open().
----------------

hth,
 Jochen

-- 
           jochen.schneider at mediaways.net
<< 'Doing linear scans over an associative array is like trying to club
 someone to death with a loaded Uzi.' >>  - Larry Wall