John Morrissey
2009-11-24 10:19:13
Revision ID: jwm@horde.net-20091124151913-92ky7evr107w5oph
fix LDAP server failover by implementing our own failover mechanism instead
of relying on the LDAP SDK's.
ldap server failover (space-separated list of hostnames in the argument to
LDAPServer) has been broken since 1.1.13 when ldap_init() was replaced with
ldap_initialize(), if available. as of that commit, a LDAP URL is
constructed if simple hostname(s) are passed to LDAPServer, so:
'LDAPServer "127.0.0.1 172.16.0.5"
was passed to ldap_initailize() as:
ldap://127.0.0.1 172.16.0.5/
Unfortunately, ldap_url_parse() treats this as a valid URL, but
ldap_intiailize() will not fail over to subsequent LDAP servers
should the first be unreachable.
ldap_initialize() *will* take a whitespace-separated list of LDAP URLs and
will fail over successfully, just not when whitespace-separated hostname
are passed to a *single* url (even if the whitespace in the hostname portion
of the URL is urlencoded as %20).
Also, mod_ldap_userdir wouldn't accept multiple LDAP URLs passed to
LDAPServerURL, so failover wasn't possible when specifying URLs.
forget all of this SDK-based failover and implement our own failover support,
since afaict Sun's ancient LDAP SDK doesn't implement failover and it's nice
to be able to control it ourselves.
for that matter, we *need* to control it ourselves since we need to use the
URL parameters (base DN, filter, search scope) indicated by the URL at hand.
chances are, these items will be the same for all URLs passed to LDAPServer,
but to be completely correct, we should use the scope corresponding to the
current URL and ldap_initialize() provides no way to tell what URL it wound
up connecting to.
added
removed
expand all
collapse all