More than one LDAP server? (LDAP Authenticator Extension)

abonhote · November 13, 2020, 8:08am

Hi all

Is it possible to add a fallback LDAP server to the config? As of now, the documentation only talks about one server to be configured in xwiki.authentication.ldap.server. A short look at the source code didn’t reveal anything like this.

We’re running the LDAP Authenticator Extension V9.4.5 here.

Thanks in advance

André

tmortagne · November 13, 2020, 2:47pm

Actually the document do talk a bit about multi server support in https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/UseCases/#HApproach1:Lettheuserindicatethedomain. But it’s not based on a fallback system: the value used in the login form need to contain a “clue” regarding the LDAP server which should be used (for example “myuser@domain.com”) and then you can customize the configuration based on this criteria.

You can find a detailed example in the general configuration example in https://extensions.xwiki.org/xwiki/bin/view/Extension/LDAP/Authenticator/#HGenericLDAPconfiguration (the xwiki.authentication.ldap.remoteUser* properties).

Beat_Burgener · November 13, 2020, 6:16pm

You would like to specify more than one ldap server to mitigate an outage, right? Not sure if you could specify more than one ip/server for the ldap_server property, probably not. @tmortagne is the expert and can answer this in case this was your question.

There are many ldap implementations that do not support multiple LDAP servers to be specified (or only static). Which is only a question of time until this will no longer work

ActiveDirectory implementations that use SRV records are an exception here. But again, most implementations do not work this way.
You options in this case:

use a dedicated DNS name like “ldap.myorganisation.com” that has a very short ttl that points to a working LDAP server and manually/automatically update DNS
use a load balancer (Layer 4 or protocol specific) that will round robin/fail over to a working LDAP server
HTH

Nimra · April 13, 2026, 3:22pm

In case anyone is reading this in 2026: We had success with adding multiple space-delimited hosts to our xwiki.cfg like this:

xwiki.authentication.ldap.server=host1.com host2.com

According to LDAPConnection (LDAP Classes) , this means “each host is contacted in turn until a connection can be established”. I confirmed this by using a bogus host1 and a working host2.

spike77453 · April 30, 2026, 3:21pm

Just for the record, you could also make use of LDAP service discovey. If you run Microsoft’s Active Directory or RedHat’s IdM/FreeIPA this is set up out of the box.

You’ll just have to set xwiki.authentication.ldap.service_discovery=1 and point xwiki.authentication.ldap.server to your domain, e.g. if your Active Directory servers offering LDAP are ad01.example.com and ad02.example.com etc., you’d configure:

xwiki.authentication.ldap.server=example.com
xwiki.authentication.ldap.service_discovery=1