In Progress
Status Update
Comments
th...@yahoo.com <th...@yahoo.com> #2
multiple ldap servers is supported. At the wikimedia foundation we do
server =<% @ldap_hosts.each do |ldap_host| %> ldaps://<%= ldap_host %><% end %>
(which basically is server = ldaps://<ldap> ldaps://<ldap>)
(notice two servers on the same line).
server =<% @ldap_hosts.each do |ldap_host| %> ldaps://<%= ldap_host %><% end %>
(which basically is server = ldaps://<ldap> ldaps://<ldap>)
(notice two servers on the same line).
ge...@gmail.com <ge...@gmail.com> #3
Oh, wow, I never knew about that. It is also not documented like that in Gerrit. Apparently, the string in ldap.server is passed on to the Context.PROVIDER_URL of the JRE and it allows space-separated URLs [1].
Reminds me I should test the RFC 2782 [2] notation again with LDAP for high-availability: ldap:///dc=domain,dc=tld should be high-available with all LDAP servers specified in DNS via the SRV records.
[1]:https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
[2]:https://www.rfc-editor.org/rfc/rfc2782.txt
Reminds me I should test the RFC 2782 [2] notation again with LDAP for high-availability: ldap:///dc=domain,dc=tld should be high-available with all LDAP servers specified in DNS via the SRV records.
[1]:
[2]:
ab...@gmail.com <ab...@gmail.com> #4
Thank you Thomas for the solution/workaround.
Documentation for Gerrit side needs to convey this feature is already supported.
Documentation for Gerrit side needs to convey this feature is already supported.
ge...@gmail.com <ge...@gmail.com> #5
I'm willing to add this to the documentation, but I have a hard time finding authoritative information from the JNDI API spec. The best I can find is in [1], which does not describe this functionality at all and moreover uses singular form.
Also, I can only find Oracle references and only for Java 8 and older, not from OpenJDK, not for newer Java versions.
For OpenJDK 11, this is documented in the code as a comment [2], but not 'published' and also not in the context of LDAP, but just for general DNS handling. In a module that seems to use this interface, it is described with a bit of more words [3], including the statement [4] that it should conform to RFC2782.
(Why don't they publish this Javadoc somewhere findable with Google Search? sigh.)
I'll test this briefly with RFC2782 (as that's *clearly* the best way to handle HA with LDAP) and then write some documentation regarding this - planned later this week.
[1]:https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#PROVIDER_URL
[2]:https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsContextFactory.java#L184-L186
[3]:https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L98-L108
[4]:https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L111-L115
[Monorail components: LDAP docs]
Also, I can only find Oracle references and only for Java 8 and older, not from OpenJDK, not for newer Java versions.
For OpenJDK 11, this is documented in the code as a comment [2], but not 'published' and also not in the context of LDAP, but just for general DNS handling. In a module that seems to use this interface, it is described with a bit of more words [3], including the statement [4] that it should conform to RFC2782.
(Why don't they publish this Javadoc somewhere findable with Google Search? sigh.)
I'll test this briefly with RFC2782 (as that's *clearly* the best way to handle HA with LDAP) and then write some documentation regarding this - planned later this week.
[1]:
[2]:
[3]:
[4]:
[Monorail components: LDAP docs]
ek...@google.com <ek...@google.com> #6
[Monorail components: Backend]
ek...@google.com <ek...@google.com> #7
[Monorail components: -LDAP]
ek...@google.com <ek...@google.com> #8
[Monorail components: Documentation]
ek...@google.com <ek...@google.com> #9
[Monorail components: -docs]
Description
We would like to get redundancy and low-latency by more than one ldap server directly in the Gerrit config.