I recently hit a problem where one of our ADIR DCs became unresponsive, and as a result I couldn't use Vault to authenticate using LDAP. I had to manually write new config to Vault to use our secondary DC to get this working again.
It would be great to have multiple urls in the LDAP auth backend, e.g. a primary_url and secondary_url key. If one of the LDAP connections fails, the other could be used as a backup?
gawbul
All 8 comments
That's a good idea!
jefferai
on 1 Sep 2016
Or perhaps support a list of URLs in url to try in sequence?
tomalok
on 14 Sep 2016
@tomalok Yeah, that works too ;)
gawbul
on 14 Sep 2016
I was thinking about doing this by using consul & adding LDAP as an external service-then configuring vault to use the service address from consul.
tam7t
on 5 Nov 2016
A list of round-robin LDAP slaves would be good
tehmaze
on 17 Jan 2017
@tam7t Curious, did you ever do that, and how did it work out if so?
If someone wants to enable multiple urls, it would be a pretty easy junior job kind of thing. I could help with guidance.
jefferai
on 17 Jan 2017
@jefferai not yet, still on my todo list
tam7t
on 18 Jan 2017
I've created #2350 which allows specifying a list of URLs that are tried in-order. A future enhancement could potentially round-robin them.
Although the unit tests exercise connecting to a backup URL if the first is invalid, I don't know for sure if this will handle all connection/dialing issues, so any additional testing from the posters on this thread would be welcomed! (Even if it gets merged, testing after-the-fact is useful for sure.)
jefferai
on 8 Feb 2017
Related issues
frntn
路
3Comments
Wonder007
路
3Comments
maxsivanov
路
3Comments
andris9
路
3Comments
lexsys27
路
3Comments
Most helpful comment
Or perhaps support a list of URLs in
urlto try in sequence?