At the moment only one LDAP server is contacted during user authentication for LDAP users or during LDAP synchronization.
In case that LDAP server is not reachable - the cached password for the user that is stored in the SQL database is used if the user was already authenticated to filr at least once.
Also the LDAP sync does not work in case the configured LDAP server is not available.
In general customers have multiple LDAP servers for fault tolerance - but filr does not use them.
To get better availability we should be able to specify multiple IP addresses / DNS names for a specific LDAP source and should have the code to fail over between the configured LDAP servers in case one is not available. (Similar to the LDAP sources in ZCM or other LDAP applications ;-))
by: Martin W. | over a year ago | Other
Comments
I agree with this - Filr should do be able to do this - see the way LDAP contextless login works on the Novell Client for an exemplar.
However, we can get pretty good LDAP fault tolerance for all applications by clustering your LDAP servers (very quick and easy with Novell Cluster Services).
Yes - there are multiple ways to make LDAP servers fault tolerant (cluster, L4 or higher layer switch, LDAP proxy,.. - but all of them come with a price-tag ;-).
From an architecture point of view - standard LDAP fault tolerance is build on the client side similar to DNS..
So these days applications best practice is to support multiple LDAP servers for fault tolerance and load balancing... and it would be great if Filr would allow that, too.
Just to remember that ZENworks have this feature today. Maybe "borrow" the source code from ZENworks guys.
Just to remember that GroupWise POA have this feature today. Maybe "borrow" the source code from GroupWise guys.
Good idea - Noted!
It is a feature for most of LDAP system configuration and I strongly support.
Very much support such a feature - push it up the stack Dev :)