On Nov 7, 2024, at 3:32 AM, Kostas Kalevras <kka...@gmail.com> wrote:
Hello team I am trying to understand how LDAP failover works and where I am in error in my configuration. I am using CAS 6.6.15. I have a test Docker compose setup with a CAS and two LDAP servers (one "primary" and the other "secondary") Relevant config: cas.authn.ldap[0].ldap-url=ldap://ldap1:389 ldap://ldap2:389 cas.authn.ldap[0].connection-strategy=ACTIVE_PASSIVE My process is as follows: 1. Start the docker compose stack 2. Perform an auth on CAS. I observe traffic on ldap1 3. Inside the CAS container run route add -host <ldap1 ip> reject 4. A telnet to ldap1 389 now returns an error as expected 5. Perform an auth on CAS. After a few seconds I get authenticated and observe traffic on ldap2 6. Perform an auth on CAS again. This time everything happens very fast with no problems. So far so good! 7. Now for the main issue: Delete the route with route del -host <ldap1 ip> reject 8. Now I can telnet to ldap1 389 9. Yet no matter what I do, how much I wait, CAS will keep on using only ldap2 10. I tried setting up the cas.monitor.ldap settings, explicitly setting the cas.authn.ldap[0].connect-timeout=PT5S to no avail I seem to be stuck with failover working well when the primary LDAP server goes offline but not when it comes back online. Am I missing something here? The behavior you’re seeing is consistent with how this functionality works. The code attempts to keep working connections available and ensures the minimum pool size is correct. When ldap1 is available you should expect *new* connections to be created using that directory. The connection to ldap2 may be removed from the pool when it has been idle too long and the number of connections in the pool exceed the minimum. Of course if ldap2 becomes unavailable, it will be removed from the pool. tl;dr the connection to ldap2 will naturally cycle out of the pool over time as the pool grows and shrinks based on load. There is a new feature in development that will allow you to configure a max connection age, I expect that to be available in a future CAS release. —Daniel Fisher -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/D07463B9-4556-4DB0-ABFB-9E297CF2CFBE%40vt.edu.
