Document how to configure multiple LDAP servers / HA for LDAP [40010644]

In Progress

Feature Request

Triaged-Yes

Status Update

No update yet.

Description

ab...@gmail.com

created issue #1

May 10, 2019 06:07PM

We have use-case where we need to support multiple ldap servers.

We would like to get redundancy and low-latency by more than one ldap server directly in the Gerrit config.

Comments

th...@yahoo.com <th...@yahoo.com> #2May 10, 2019 09:28PM

multiple ldap servers is supported. At the wikimedia foundation we do

server =<% @ldap_hosts.each do |ldap_host| %> ldaps://<%= ldap_host %><% end %>

(which basically is server = ldaps://<ldap> ldaps://<ldap>)

(notice two servers on the same line).

ge...@gmail.com <ge...@gmail.com> #3May 13, 2019 08:47AM

Oh, wow, I never knew about that. It is also not documented like that in Gerrit. Apparently, the string in ldap.server is passed on to the Context.PROVIDER_URL of the JRE and it allows space-separated URLs [1].

Reminds me I should test the RFC 2782 [2] notation again with LDAP for high-availability: ldap:///dc=domain,dc=tld should be high-available with all LDAP servers specified in DNS via the SRV records.

[1]:

https://docs.oracle.com/javase/jndi/tutorial/ldap/misc/url.html
[2]:

https://www.rfc-editor.org/rfc/rfc2782.txt

ab...@gmail.com <ab...@gmail.com> #4May 21, 2019 05:31PM

Thank you Thomas for the solution/workaround.
Documentation for Gerrit side needs to convey this feature is already supported.

ge...@gmail.com <ge...@gmail.com> #5Sep 26, 2019 12:59AM

Accepted by Deleted User.

I'm willing to add this to the documentation, but I have a hard time finding authoritative information from the JNDI API spec. The best I can find is in [1], which does not describe this functionality at all and moreover uses singular form.

Also, I can only find Oracle references and only for Java 8 and older, not from OpenJDK, not for newer Java versions.

For OpenJDK 11, this is documented in the code as a comment [2], but not 'published' and also not in the context of LDAP, but just for general DNS handling. In a module that seems to use this interface, it is described with a bit of more words [3], including the statement [4] that it should conform to RFC2782.

(Why don't they publish this Javadoc somewhere findable with Google Search? sigh.)

I'll test this briefly with RFC2782 (as that's *clearly* the best way to handle HA with LDAP) and then write some documentation regarding this - planned later this week.

[1]:

https://docs.oracle.com/javase/8/docs/api/javax/naming/Context.html#PROVIDER_URL
[2]:

https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.naming.dns/share/classes/com/sun/jndi/dns/DnsContextFactory.java#L184-L186
[3]:

https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L98-L108
[4]:

https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/9456afc1a52221bb397bf067ca39e90dee7411ca/src/jdk.security.auth/share/classes/com/sun/security/auth/module/LdapLoginModule.java#L111-L115

[Monorail components: LDAP docs]

ek...@google.com <ek...@google.com> #6Jul 6, 2022 11:37AM

[Monorail components: Backend]

ek...@google.com <ek...@google.com> #7Jul 6, 2022 11:37AM

[Monorail components: -LDAP]

ek...@google.com <ek...@google.com> #8Jul 6, 2022 12:38PM

[Monorail components: Documentation]

ek...@google.com <ek...@google.com> #9Jul 6, 2022 12:39PM

[Monorail components: -docs]