Re: Multiple LDAP Servers for ldap Authentication

On Thu Dec, 20, 2018 at 9:17 PM Kumar, Virendra <Virendra(dot)Kumar(at)guycarp(dot)com>
wrote:

> I figured it out, this is how it works:
> --
> host all all 0.0.0.0/0
> ldap ldapserver=server1.com ldapserver=server2.com ldapprefix=PROD01\
>
> So documentation need some update.
>

Just FYI I tried out this method on my setup, and it did not work.
Postgres (I tried on v. 10 and v. 12) will always pick the last
"ldapserver=" tag that it parses. Avaro's format (ldapserver="server1
server2") works for me. To be clear:

<snippet>
# does not work:
host all all 0.0.0.0\/0 ldap ldapserver=ldap-service1
ldapserver=ldap-service2 ldaptls=1 ldapprefix="cn=" ldapsuffix=",
dc=example, dc=org\" ldapport=389

# this works:
host all all 0.0.0.0/0 ldap ldapserver="ldap-service1
ldap-service2" ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org"
ldapport=389
</snippet>

For anyone who comes across this in the future, I have also compiled as
short YouTube video to demonstrate the behavior of the two formats:
https://youtu.be/kjlwwfHdpWg

--Richard

> Regards,
> Virendra
>
> -----Original Message-----
> From: Alvaro Herrera [mailto:alvherre(at)2ndquadrant(dot)com]
> Sent: Thursday, December 20, 2018 3:25 PM
> To: Kumar, Virendra
> Cc: pgsql-general(at)lists(dot)postgresql(dot)org
> Subject: Re: Multiple LDAP Servers for ldap Authentication
>
> On 2018-Dec-20, Kumar, Virendra wrote:
>
> > Comman separated doesn't work as well.
>
> Please separate by a comma and a space, not just a comma. My reading of
> the OpenLDAP source code, and some quick experiments comparing failure
> patterns, suggest that that exact combination may work. (OpenLDAP is
> not exactly well commented.) I think one problem you may or may not hit
> is the PostgreSQL authentication timeout expiring sooner than OpenLDAP
> is willing to try the second server.
>
> --
> Álvaro Herrera https://www.2ndQuadrant.com/
> PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
>
> ________________________________
>
> This message is intended only for the use of the addressee and may contain
> information that is PRIVILEGED AND CONFIDENTIAL.
>
> If you are not the intended recipient, you are hereby notified that any
> dissemination of this communication is strictly prohibited. If you have
> received this communication in error, please erase all copies of the
> message
> and its attachments and notify the sender immediately. Thank you.
>
>
>
>