Thanks a lot for the clarification. The planned feature will certainly be nice in order to be certain that the "passive" LDAP server will be cycled out after a certain period of time. Cycling out based on idle timeout will be hard in servers with heavy load.
I think it would be helpful to add what you wrote in the documentation for the connection-strategy LDAP option since it is a bit counter intuitive (at least with respect to what one would expect from an "ACTIVE_PASSIVE" label). I also went through the ldaptive documentation and could not find any helpful hint there as well. The connection strategies should work as expected when *not* using a connection pool (and performing a new connection for every request). I guess that I was expecting automatic failover to the "ACTIVE" LDAP server due to the validation functionality of the ldaptive connection pooling: https://www.ldaptive.org/docs/guide/connections/pooling.html On Fri, 8 Nov 2024 at 04:53, Fisher, Daniel <[email protected]> wrote: > On Nov 7, 2024, at 3:32 AM, Kostas Kalevras <[email protected]> wrote: > > Hello team > > I am trying to understand how LDAP failover works and where I am in error > in my configuration. > > I am using CAS 6.6.15. I have a test Docker compose setup with a CAS and > two LDAP servers (one "primary" and the other "secondary") > > Relevant config: > cas.authn.ldap[0].ldap-url=ldap://ldap1:389 ldap://ldap2:389 > cas.authn.ldap[0].connection-strategy=ACTIVE_PASSIVE > > My process is as follows: > > 1. Start the docker compose stack > 2. Perform an auth on CAS. I observe traffic on ldap1 > 3. Inside the CAS container run route add -host <ldap1 ip> reject > 4. A telnet to ldap1 389 now returns an error as expected > 5. Perform an auth on CAS. After a few seconds I get authenticated and > observe traffic on ldap2 > 6. Perform an auth on CAS again. This time everything happens very > fast with no problems. So far so good! > 7. Now for the main issue: Delete the route with route del -host > <ldap1 ip> reject > 8. Now I can telnet to ldap1 389 > 9. Yet no matter what I do, how much I wait, CAS will keep on using *only > ldap2* > 10. I tried setting up the cas.monitor.ldap settings, explicitly > setting the cas.authn.ldap[0].connect-timeout=PT5S to no avail > > I seem to be stuck with failover working well when the primary LDAP server > goes offline but not when it comes back online. > > Am I missing something here? > > > The behavior you’re seeing is consistent with how this functionality works. > The code attempts to keep working connections available and ensures the > minimum pool size is correct. > When ldap1 is available you should expect *new* connections to be created > using that directory. > The connection to ldap2 may be removed from the pool when it has been idle > too long and the number of connections in the pool exceed the minimum. > Of course if ldap2 becomes unavailable, it will be removed from the pool. > > tl;dr the connection to ldap2 will naturally cycle out of the pool over > time as the pool grows and shrinks based on load. > > There is a new feature in development that will allow you to configure a > max connection age, I expect that to be available in a future CAS release. > > —Daniel Fisher > > -- > - Website: https://apereo.github.io/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to a topic in the > Google Groups "CAS Community" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/apereo.org/d/topic/cas-user/390ZR4y345c/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/D07463B9-4556-4DB0-ABFB-9E297CF2CFBE%40vt.edu > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/D07463B9-4556-4DB0-ABFB-9E297CF2CFBE%40vt.edu?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CACSOpgQvkbBW%3DzkNVBpCeQo6rKfHqXRba47V2FckcbOZWL_Uqg%40mail.gmail.com.
