-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Junaid,
You've probably realized at this point that VCL does not support multiple LDAP servers per affiliation (I think we actually have a JIRA issue requesting this feature). Depending on your security requirements, one option would be to disable the SSL certificate validation done for the LDAP connections. You can disable it by adding the following line to /etc/openldap/ldap.conf: TLS_REQCERT never You'll need to restart httpd for that change to get picked up. Generally, I don't recommend disabling validation of certificates, but I thought I'd share this as an option in case your situation would be okay without that level of security. Josh On Monday, July 11, 2016 1:31:08 PM Junaid Ali wrote: > Hi Jeff, > Thanks for the pointer. In our case we use Active Directory for LDAP. I > tried using the Active Directory domain name instead of a single server > name, but using ldaps the certificate returned by the domain controller > does not match the expected domain name and so VCL authentication fails. > > Thanks. > Junaid. > > > On Mon, Jul 11, 2016 at 10:40 AM, Jeffrey Kirby <[email protected]> > > wrote: > > Junaid, > > > > I've always worked in environments where LDAP is in some sort of > > high-availability configuration. If you have the authority to do so (if > > LDAP is under your control), try doing a search on LDAP load balancers, > > open source or otherwise, and make sure they have failover/monitoring > > capability. A manual way that could do this for scheduled maintenance > > only > > would be a DNS change using a cname for the published LDAP hostname. > > > > As for doing it in VCL configuration, I'm of no use. > > > > jeff > > > > > > > > From: Junaid Ali <[email protected]> > > To: [email protected] > > Date: 07/08/2016 12:39 PM > > Subject: Multiple LDAP Servers > > ------------------------------ > > > > > > > > Hello, > > I was wondering if we can have multiple LDAP servers specified within the > > $authMechs affiliation entry (e.g. comma separated list of servers rather > > than a single server). So that if one of the LDAP server is down for > > maintenance, the next server could be used for authentication to the VCL > > website. > > Any ideas/suggestions? > > > > Thanks. > > Junaid - -- - ------------------------------- Josh Thompson VCL Developer North Carolina State University my GPG/PGP key can be found at pgp.mit.edu All electronic mail messages in connection with State business which are sent to or received by this account are subject to the NC Public Records Law and may be disclosed to third parties. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAleFTC0ACgkQV/LQcNdtPQNbpgCbBfRD/2PPzMtMCY1wxXJOK6ch IvkAn3hBVJKl9zX7KUJHKzSYSRYd/5Go =/wM5 -----END PGP SIGNATURE-----
