Allow Cacti to use multiple possible LDAP servers #4299
Comments
|
Actually, if you use LDAP domains section, you can have multiple LDAP authentication. One of the updates to 1.3 will be to remove the older single LDAP configuration. |
|
Oh, do you mean a backup LDAP server? |
|
Yes
…On Thu., Jun. 10, 2021, 22:08 Mark Brugnoli-Vinten, < ***@***.***> wrote:
Oh, do you mean a backup LDAP server?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4299 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGEXTG6UXLSRDEJTX7YLR3TSFVYFANCNFSM46PHRPFQ>
.
|
bmfmancini
changed the title
|
OK, so first thing to define, which of these known errors should failover to the backup: const None = 0;
const Success = 0;
const Failure = 1;
const UndefinedUsername = 2;
const ProtocolErrorVersion = 3;
const ProtocolErrorReferral = 4;
const ProtocolErrorTls = 5;
const MissingLdapObject = 6;
const ProtocolErrorGeneral = 7;
const InsufficientAccess = 8;
const ConnectionUnavailable = 9;
const ConnectionTimeout = 10;
const ProtocolErrorBind = 11;
const SearchFoundNoGroup = 12;
const SearchFoundMultiUser = 13;
const SearchFoundNoUser = 14;
const SearchFoundNoUserDN = 15;
const UndefinedDnOrPassword = 16;
const Disabled = 99; |
|
Work is underway to simplify LDAP setitngs by removing from global and just using the user domains. Feel free to run in a test lab, but the upgrade process isn't right yet if you were already using LDAP (not multiple ldap), I just wanted to commit it so you can see what has been going on. |
|
Not using a VIP or RRDNS with VIPs? |
|
It's more to cover a setup that doesn't have one I agree you would have a
VIP or something else
…On Fri., Jun. 25, 2021, 15:09 TheWitness, ***@***.***> wrote:
Not using a VIP or RRDNS with VIPs?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4299 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGEXTHEU4GB3E6TU6YHGCLTUTH6RANCNFSM46PHRPFQ>
.
|
|
So, we are still at the point of deciding which of the above errors can cause a failover to the secondary server. And I presume the secondary must have all the same settings aside from hostname? |
|
I will setup a LDAP server and check the failure types and yea they would
all be the same
…On Mon., Jun. 28, 2021, 19:24 Mark Brugnoli-Vinten, < ***@***.***> wrote:
So, we are still at the point of deciding which of the above errors can
cause a failover to the secondary server. And I presume the secondary must
have all the same settings aside from hostname?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4299 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGEXTA2O3UGBMR7SMUAF7LTVEAEDANCNFSM46PHRPFQ>
.
|
|
If I may add some input, I'm using multiple LDAP config, and for me this 2 should s handled: The other are LDAP data error, not kind of protocol releated error. So if you have a replication of the 2 LDAP servers, the other errors are most likelly to be the same. Just my point to the reflection! |
|
Oh crap I totally forgot about this one!
And I submitted it!... Fail
I will look at some other response codes and send them over
…On Mon., Oct. 18, 2021, 07:45 Arno Streuli, ***@***.***> wrote:
If I may add some input, I'm using multiple LDAP config, and for me this 2
should s handled:
const ConnectionUnavailable = 9;
const ConnectionTimeout = 10;
const ProtocolErrorBind = 11;
The other are LDAP data error, not kind of protocol releated error. So if
you have a replication of the 2 LDAP servers, the other errors are most
likelly to be the same.
Event the error about the version, should give you other error on your
domain, and is not suppose to be different on master and backup server.
Just my point to the reflection!
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#4299 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADGEXTBXVBIVUXWO26RXE4TUHQCELANCNFSM46PHRPFQ>
.
|
|
The way that I would implement this is to explode the hostname based upon a space or other character and then based upon the response use the second hosts to test. Of course, it might be better served by a VIP, but we can implement two settings for those that lack the IT skills to deploy LDAP using a Linux Cluster or a cluster of Linux Clusters. |
|
Don't you think if you have a VIP, you dont really have a 'second' host. And sometime it's not a question of lack of knowledge of Linux clustering, but Datacenter design. (using windows AD, or not in cluster config, but different server with synchronisation) |
TheWitness
changed the title
|
The fix is really simple. |
Allow Cacti to use multiple possible LDAP servers
|
Moved this to 1.2.19 as it's such a simple fix. Please test. |
I don't like the solution, but it works now.
|
After testing, it was not as simple as I thought. However, I've worked through the various in's and out's of the library, and though I don't completely like the solution, it's workable for this release. |
|
@bmfmancini test in the morning. No need for a zoom. If it's workable for you, just close this. |
|
Found that our LDAP setup uses default timeouts. Addressing that today. |
Hey Guys,
In the current cacti LDAP settings you are only able to provide a single LDAP server
It would be good to be able to add a secondary server
Thanks !
The text was updated successfully, but these errors were encountered: