Multiple LDAP does not work in failover

cancel
Showing results for 
Search instead for 
Did you mean: 
zlatko
Member II

Multiple LDAP does not work in failover

Hello,
First time posting here.
I am using Alfresco 7.0 in dockerised environment. I have two LDAPs configured in authentication chain, just like this:

authentication.chain=alfinst:alfrescoNtlm,ad2:ldap-ad,ad1:ldap-ad

Synchronisation and authentication works fine, as long as AD2 is UP. As soon as AD2 is down, users are unable to login anymore, regardless of the AD1 being available.

Situation is similar if I swap AD2 and AD1 in autentication chain. If AD1 is first mentioned in a chain, authentication works only while AD1 is up. After it turns off, login is unavilable.

Idea here is to have working authentication with failover mechanism, which will work with one sufficently working AD, no matter which one specified in chain. Any tips?

Thanks in advance.

2 Replies
abhinavmishra14
Advanced

Re: Multiple LDAP does not work in failover

in general as per docs the chaining should work as long as all the configs are settings are appropriate. 

Checkout this docs to cross check all the settings:

https://docs.alfresco.com/content-services/community/admin/auth-sync/

https://docs.alfresco.com/content-services/community/admin/auth-sync/#configure-the-authentication-c...

I would emphasize on this note:

Note: If you’re only using a single LDAP provider in your authentication chain, the properties can be included in the alfresco-global.properties file. But if you need to include the configuration for more than one LDAP provider, then you need to separate the properties in distinct subsystem configuration in <configRootShare>/classes/alfresco/subsystems/Authentication/<LDAP Provider Name>/ldap-authentication.properties.
~Abhinav
(ACSCE, AWS SAA, Azure Admin)
prakashpatel87
Customer

Re: Multiple LDAP does not work in failover

I am also seeing same issue. If first server in authentication chain is down, authentication fails. But if I set first server to something that doesnt exist, it goes to second server in chain - weird. 

Were you able to address it?