Brian Candler skrev: > On Sat, Jul 01, 2006 at 04:39:49PM +0200, Tony Earnshaw wrote: >> What all of us with master/slave dbase (we're using OpenLDAP 2.3) need >> from the absolutely retrograde[1] Courier authlib LDAP basis, is >> fallback support. At the moment (Sam knows this well enough) Courier >> (vs. Samba, pam_ldap, the OpenLDAP utilities and a whole bunch of other >> "programs") only supports a single LDAP server for lookups and dual (as >> opposed to multiple filters per record=. > ... >> [1] LDAP client code has to support multiple/fallback (not failover) >> servers. > > Can you explain your distinction between "fallback" and "failover"?
Thanks, as always, Brian, for your comments and suggestions. I call a failover server a physical server in sync with a master that will automatically take over from the master if the master should fail in any sense, physically or programmatically. Clustered servers would be an example. I call a fallback server one to which a program such as LDAP would point to if the LDAP master program should fail. We have only one master LDAP server here with three slaves that normally point to themselves (pam_ldap, samba, Postfix, anything that uses the OpenLDAP libraries) and to a fellow slave, should the LDAP program fail on any given slave. The master LDAP server has no failover server; if it should fail, LDAP referrals from the slaves will fail, but not much else. > Originally, courier-authlib supported multiple hostnames using LDAP_SERVER. > This was because the underlying client library allowed you to pass a single > string containing multiple hostnames separated by spaces. At the time when > you made a connection, if the first one failed to connect, then it would > move onto the next one. Yes, that's the principal we use for everything but Courier. > (This would at least cope with errors where the first LDAP server was > completely dead, or the host was OK but the LDAP server process not running. > It would not cope with the case where you could connect and issue a search > command, but the response was LDAP_BUSY or LDAP_UNAVAILABLE) > > According to the courier-authlib docs, with LDAP_URI this should still work, > except you have to separate the URIs with commas. Does it not? Perhaps you > could detail what behaviour you have observed, and how this differs from the > behaviour you would like to see? I didn't know this, I can't find it in the authlib LDAP-relevant docs; I'm at home today with only one test server, so I can't try it in practice. But adding a second LDAP listener wit a comma delimiter in authldaprc doesn't at least cause it to barf (LDAP_URI ldapi://%2fvar%2frun%2fslapd%2fldapi/, ldap://tru.leerlingen). I'll try it out in practice on the Courier server when I'm at work again. >> It has to support >> multiple lookup fields (not just two as authlib does). > > That comment I don't understand at all; nor do I understand the earlier > comment about "dual (as opposed to multiple) filters per record" For example ((uid=%u)(&(accountstatus=active)(objectClass=inetMailRecipient))) > A filter is a filter. If you want to filter on multiple conditions, you can > use '|(..)(..)'. Are you saying you want to search with filter 1, and if > that search returns zero entries, try again with filter 2? I want to AND, not OR. authldap barfs if I try &(accountstatus=active)(objectClass=inetMailRecipient). By "barfs" I mean I get the dreaded "OPERATION NOT PERMITTED" response. > I have not come across any other LDAP client which does that (except Exim, > whose behaviour language is really a domain-specific programming language so > you can implement that sort of thing quite easily). I used to be an Exim man but "gave it up" for Postfix - so I think I know what you mean. That's not what I want, though. > If you want to implement this sort of complex logic, though, it's quite > easily done in the existing courier-authlib using authpipe. Just pick any > programming language you are happy with which has an LDAP client library > (say Perl), and use that to implement a small custom auth module. I've just started learning Perl seriously; I'll put this on my to-do list for later. > "Multiple lookup fields (not just two)" doesn't mean anything to me either. s/field/attribute'. In which objectClass is also counted as an attribute. Thanks :) --Tonni -- tonni at barlaeus.nl Tony Earnshaw Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Courier-imap mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
