Multiple LDAP server settings are invalid

Question

Multiple LDAP server settings are invalid

Opened this issue 3 years ago · 1 comments

I made the following settings, but the request to the "ad_2 "did not go through.

ldap_server ad_1 {
  url "ldap://<LDAP SERVER IP ADDRESS1>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
  binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
  binddn_passwd <PUT Operator's PASSWORD HERE>;
  group_attribute member;
  group_attribute_is_dn on;
  require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
}
ldap_server ad_2 {
  url "ldap://<LDAP SERVER IP ADDRESS2>:3268/OU=Offices,DC=company,DC=com?sAMAccountName?sub?(objectClass=person)";
  binddn "CN=Operator,OU=Service Accounts,DC=company,DC=com";
  binddn_passwd <PUT Operator's PASSWORD HERE>;
  group_attribute member;
  group_attribute_is_dn on;
  require group "CN=Admins,OU=My Security Groups,DC=company,DC=com";
}

server {
    listen       8000;
    server_name  localhost;
    auth_ldap "Forbidden";
    auth_ldap_servers ad_1;
    auth_ldap_servers ad_2 ;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

The authentication for "ad_1" passes, but "ad_2" does not.
If I comment out the following setting, it works fine, is it a bug caused by this setting?

auth_ldap_cache_enabled on;
auth_ldap_cache_expiration_time 10000;
auth_ldap_cache_size 1000;

Answer 1 · 2023-11-09T01:40:06.000Z

Don't specify IP addresses. Refer to the servers using a properly configured SRV RR.