10.5 - LDAP Not Working

We are still configuring using the xwiki.cfg file. Nothing else appears to have changed, but not working in 10.5. Nothing in Release Notes to indicate a problem should exist.

We are using it with Active Directory, FYI.

Never mind. The Domain Controller we point to was rebooting for maintenance. Too bad there is no to specify more than one LDAP server…or is there?

There is multi LDAP server support (that’s what xwiki.authentication.ldap.remoteUserMapping.* is about) but not as a fallback (which is what you seems to need here). The goal of this property is more to choose a different LDAP server depending on an information extracted from the login (like the domain).

1 Like

@laurin1

There are many LDAP implementation that are not “AD” aware … e.g. are unable to read the AD sites or make use of multiple GC’s/DC’s …

One approach is to use an DNS alias like “ldap.ad-domain.com” for small/single sites or “ldap-site.ad-domain.com” for distributed sites. The alias points to one of the domain controller using a short TTL (like 1 to 10 Minutes). In case of maintenance or failure, you simply change the alias to another DC.

This way, no configuration change in the application(s) is required and planned maintenance to DC’s can be done without any interruption to LDAP clients …

HTH

Beat

We do use an alias, and if we have an extended outage, we certainly can switch it, but this was not and there will be cases when a DC is down, but an admin is not available to switch it.

… sounds like an organizational challenge … and if you have a requirement for high availability of your Wiki (and possibly other services that use LDAP), I would suggest an Load Balancer for LDAP … this would cover such an outage without any intervention of system/network admins.

1 Like

Isn’t there already a DNS name that matches your domain name and does DNS round robin between all your DCs? I always configure the domain name as “ldap server” and I can confirm that it works for xwiki.
You should be able to check with nslookup domain.name and you should get multiple IPs that change in order per nslookup request.

And if you do a planned downtime with a normal shutdown of a DC it should remove itself from the list.

Thanks for the suggestion.

Yes, I guess we could use our domain name as the LDAP server, but no, as far as I know DC’s don’t remove themselves from DNS when they are down. I’ve just tested that and unless it takes a very long time, that does not occur. AD clients will try all DC’s until they find one that works or fail completely, no DNS changes occur to accommodate this scenario. Also, the TTL for Domain Controllers is 10 minutes and I would not want to increase network traffic for DC requests to assist here.