RE: Multiple LDAP Servers for ldap Authentication

This is what I see:
--
[postgres@usdf24v0131 ~]$ which postgres
/opt/postgres/10/bin/postgres
[postgres@usdf24v0131 ~]$ ldd /opt/postgres/10/bin/postgres
        linux-vdso.so.1 =>  (0x00007ffee3fe8000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f9a7f125000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f9a7ef1d000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f9a7ed19000)
        libm.so.6 => /lib64/libm.so.6 (0x00007f9a7ea17000)
        libldap-2.4.so.2 => /lib64/libldap-2.4.so.2 (0x00007f9a7e7c2000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f9a7e3f5000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f9a7f341000)
        liblber-2.4.so.2 => /lib64/liblber-2.4.so.2 (0x00007f9a7e1e6000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f9a7dfcd000)
        libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007f9a7ddb0000)
        libssl.so.10 => /lib64/libssl.so.10 (0x00007f9a7db3e000)
        libcrypto.so.10 => /lib64/libcrypto.so.10 (0x00007f9a7d6dd000)
        libssl3.so => /lib64/libssl3.so (0x00007f9a7d48b000)
        libsmime3.so => /lib64/libsmime3.so (0x00007f9a7d264000)
        libnss3.so => /lib64/libnss3.so (0x00007f9a7cf37000)
        libnssutil3.so => /lib64/libnssutil3.so (0x00007f9a7cd08000)
        libplds4.so => /lib64/libplds4.so (0x00007f9a7cb04000)
        libplc4.so => /lib64/libplc4.so (0x00007f9a7c8ff000)
        libnspr4.so => /lib64/libnspr4.so (0x00007f9a7c6c1000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f9a7c48a000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f9a7c23d000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f9a7bf54000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f9a7bd39000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f9a7bb35000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f9a7b926000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f9a7b710000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f9a7b50d000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f9a7b309000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f9a7b0e2000)
        libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f9a7ae80000)


Regards,
Virendra

-----Original Message-----
From: Alvaro Herrera [mailto:alvherre@2ndquadrant.com]
Sent: Thursday, December 20, 2018 1:47 PM
To: Kumar, Virendra
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Multiple LDAP Servers for ldap Authentication

Hello Virendra

On 2018-Dec-20, Kumar, Virendra wrote:

> I am going through ldap authentication documents in PostgreSQL and found that we can specify multiple ldap servers
butsure how. I have put two entries in double quotes like below: 
> --
> host    all     all                            0.0.0.0/0              ldap ldapserver="server1.com server2.com"
ldapprefix=PROD01\
>
> There is no complain when reloading the pg_hba.conf file however when server1.com is down the connection just times
outinstead of trying server2. Does anybody have idea how to configure it or how to make this work. 

Reading the server code, I find this rather surprising.  The ldapserver
string is passed directly to ldap_init(), which per its manual should
use the multiple servers:
  "The host parameter may contain a blank-separated list of hosts to try
   to connect to, and each host may optionally by of the form
   host:port."
     ( quoted from https://linux.die.net/man/3/ldap_init )

Maybe the library you have does not behave in the same way?  It would be
good to confirm that the LDAP library you have is OpenLDAP and not
something else.  Can you run an `ldd` on the postgres binary and see
what the output says about ldap?

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

________________________________

This message is intended only for the use of the addressee and may contain
information that is PRIVILEGED AND CONFIDENTIAL.

If you are not the intended recipient, you are hereby notified that any
dissemination of this communication is strictly prohibited. If you have
received this communication in error, please erase all copies of the message
and its attachments and notify the sender immediately. Thank you.