On Thu Dec, 20, 2018 at 9:17 PM Kumar, Virendra <virendra.ku...@guycarp.com> wrote:
> I figured it out, this is how it works: > -- > host all all 0.0.0.0/0 > ldap ldapserver=server1.com ldapserver=server2.com ldapprefix=PROD01\ > > So documentation need some update. > Just FYI I tried out this method on my setup, and it did not work. Postgres (I tried on v. 10 and v. 12) will always pick the last "ldapserver=" tag that it parses. Avaro's format (ldapserver="server1 server2") works for me. To be clear: <snippet> # does not work: host all all 0.0.0.0\/0 ldap ldapserver=ldap-service1 ldapserver=ldap-service2 ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org\" ldapport=389 # this works: host all all 0.0.0.0/0 ldap ldapserver="ldap-service1 ldap-service2" ldaptls=1 ldapprefix="cn=" ldapsuffix=", dc=example, dc=org" ldapport=389 </snippet> For anyone who comes across this in the future, I have also compiled as short YouTube video to demonstrate the behavior of the two formats: https://youtu.be/kjlwwfHdpWg --Richard > Regards, > Virendra > > -----Original Message----- > From: Alvaro Herrera [mailto:alvhe...@2ndquadrant.com] > Sent: Thursday, December 20, 2018 3:25 PM > To: Kumar, Virendra > Cc: pgsql-general@lists.postgresql.org > Subject: Re: Multiple LDAP Servers for ldap Authentication > > On 2018-Dec-20, Kumar, Virendra wrote: > > > Comman separated doesn't work as well. > > Please separate by a comma and a space, not just a comma. My reading of > the OpenLDAP source code, and some quick experiments comparing failure > patterns, suggest that that exact combination may work. (OpenLDAP is > not exactly well commented.) I think one problem you may or may not hit > is the PostgreSQL authentication timeout expiring sooner than OpenLDAP > is willing to try the second server. > > -- > Álvaro Herrera https://www.2ndQuadrant.com/ > PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services > > ________________________________ > > This message is intended only for the use of the addressee and may contain > information that is PRIVILEGED AND CONFIDENTIAL. > > If you are not the intended recipient, you are hereby notified that any > dissemination of this communication is strictly prohibited. If you have > received this communication in error, please erase all copies of the > message > and its attachments and notify the sender immediately. Thank you. > > > >
