Failover support in sudo_ldap

Aaron Spangler aaron at
Tue Mar 30 15:42:24 EST 2004

The most up to date sudo-ldap is currently in sudo's cvs repository
(Todd has not released it as a package yet).  Let me know if this is
the version you are using.

I went to put failover code into sudo and found that Many LDAP libraries
already support it in the ldap_initialize() function.  [Apparently not all
support it].

OpenLDAP already has the failover code.  If I remember right though, you
are using a different set of libraries.

Using Openldap, in your /etc/ldap.conf you just specify

uri ldaps://host1, ldap://host2, ldaps://host3

Also if you find problems with DNS, then you might list host2 & host3 by
IP address.

I supposed we could write additional code for those that are not using
OpenLDAP.  There are a couple of things we have to write in

1) deal with servers that are completely down (timeout/no reply from host)
 We have to then code in the timeout handling code.
2) deal with servers that are up but the LDAP service is down (connection
3) deal with servers where SSL/TLS hangs (tricky)
4) deal with servers where LDAP connect & bind hangs (timeout)
5) deal with servers where the search hangs.

Currently OpenLDAP automatically handles all of this (except for situation
3).  We would need to write similar code (but not exact because it is
under a different license)

 - Aaron

> Hi Aaron,
> can you give me some news about the failover support in your ldap patch ?
> We need this support because we have four ldap servers (one master and
> three slaves) in each environment. If we only use ldap entries instead of
> a plain sudoers file we must have redundant access to the four ldap
> servers.
> Regards,
> Andreas

More information about the sudo-users mailing list