LDAP AD authentication with failover

Questions and answers about how to do stuff
Post Reply
daxis
Posts: 22
Joined: 11 Nov 2019 12:53

LDAP AD authentication with failover

Post by daxis »

If you have an active directory domain with multiple domaincontrollers you want eFa to authenticate against all domaincontrollers in case one is down.
By default you can't.
This how-to describes how to implement the failover option.

You can add multiple space separated hosts under 'LDAP_HOST' in config.php.
Be sure to include ldap:// in front of each hostname or ip-address!!
Or ldaps:// if you're using a SSL connection.

Code: Select all

define('USE_LDAP', true);
define('LDAP_HOST', 'ldap://host1 ldap://host2 ldap://host3');
define('LDAP_PORT', '389');
Next add:

Code: Select all

define('LDAP_NETWORK_TIMEOUT', '5'); // Seconds to timeout to next host when using multiple hosts
A timeout is necessary for the ldap connection to try the next host. Otherwise ldap wil connect to the first host indefinitely.
You can change the value to timeout sooner or later.

Last but not least you need to add the new timeout to function ldap_authenticate in functions.php
Add this piece of code before $bindResult = @ldap_bind($ds, LDAP_USER, LDAP_PASS);

Code: Select all

if (defined('LDAP_NETWORK_TIMEOUT')) {
    $ldap_network_timeout = LDAP_NETWORK_TIMEOUT;
    ldap_set_option($ds, LDAP_OPT_NETWORK_TIMEOUT, $ldap_network_timeout);
}
Restart the php-fpm service and you're good to go.

From now on when the first host fails to connect within 5 seconds the second host will be tried and so on.

It should work with other clustered ldap servers than active directory too.
Post Reply