Support multiple LDAP servers in a auth source

[abhishek818]

support multiple LDAP servers and add dialing timeout, also rename cli flag 'host' to 'host-list'.

closes #6898
/claim #6898

[abhishek818]

@techknowlogick @silverwind pls review.

[silverwind]

What happens if host 1 is down and host 2 is up? Will it wait for the 10 seconds timeout on host 1 until it contacts host 2?

[abhishek818]

What happens if host 1 is down and host 2 is up? Will it wait for the 10 seconds timeout on host 1 until it contacts host 2?

yes, unfortunately. I have searched, there seems to be no way around it.
But i guess it helps with providing ample timeout time for gracefully exit of connection. (for scenarios where say, 2 hosts are configured and both are down, The user again tries with the same 2 hosts within a small time frame. All dangling connections should have ended by then i.e. during the timeout duration)

also, 60 secs is by default, we are going with much lesser value.

[silverwind]

A common way to solve it would be to "race" the TCP connections, e.g. connect both at once and take first connection that connects (e.g. completes the handshake) and drop the others.

Given that this happens on TCP level, there's virtually zero impact on the LDAP servers as the connection attempt never reaches the application layer.

[abhishek818]

done, up for review.

[abhishek818]

@silverwind @techknowlogick bumping this for a review..

[abhishek818]

@silverwind could you please review?

[lunny]

Looks like the tests failure is related.

[abhishek818]

Looks like the tests failure is related.

@lunny @silverwind Up for review, fixed the integration test failures, all tests are green now.

[abhishek818]

@lunny hey can you pls review ?

[lunny]

@lunny hey can you pls review ?

Sorry for the late. I will review this one next week.

[abhishek818]

addressed review comment, up for review.

[lunny]

So all these hosts should have the same port?

[abhishek818]

@lunny damnn, thats a big miss on my part.

Can you help with if we should keep the config for each ldap host as below?

// HostConfig represents the configuration for a single LDAP host
type HostConfig struct {
	Host              string            // Hostname or IP address
	Port              uint16            // Port number
	SecurityProtocol  SecurityProtocol  // Security protocol (LDAP, LDAPS, StartTLS)
	SkipVerify        bool              // Whether to skip TLS certificate verification
	BindDN            string            // Bind DN
	BindPassword      string            // Bind password
	UserBase          string            // User search base
	GroupBase         string            // Group search base
	SearchPageSize    uint32            // Search page size
	Filter            string            // User search filter
	AdminFilter       string            // Admin filter
	RestrictedFilter  string            // Restricted user filter
}

// Source represents the overall LDAP service configuration
type Source struct {
	Name               string        // Canonical name (e.g., corporate.ad)
	Hosts              []HostConfig  // List of host configurations    <-----------------------------
	AttributeUsername  string        // Username attribute
	AttributeName      string        // First name attribute
	AttributeSurname   string        // Surname attribute
	AttributeMail      string        // Email attribute
	AttributeSSHPublicKey string     // SSH Public Key attribute
	AttributeAvatar    string        // Avatar attribute
	AttributesInBind   bool          // Fetch attributes in bind context
	GroupMemberUID     string        // Group attribute containing array of UserUID
	GroupTeamMap       string        // Map LDAP groups to teams
	GroupTeamMapRemoval bool         // Remove user from teams not in corresponding LDAP group
	UserUID            string        // User attribute listed in group
	SkipLocalTwoFA     bool          // Skip 2FA for this source
	authSource         *auth.Source  // Reference to the authSource
}

Further should we go the same approach for each config input value as a list of string separated commas for both cli and web (same as host address currently) ?

[lunny]

Maybe right. But then the UI will become very complex.

[abhishek818]

Agreed, any alternatives you have in mind?
The UI can have an additional input text box for entering no. of ldap servers first, then providing separate input boxes for each of all common params then say 'input port value for server 1' and so on..

[lunny]

I have no idea. It seems the UI will become much complicated.

[abhishek818]

@silverwind @techknowlogick sorry for the tag, just wanted to know your ideas on this if any.

[wxiaoguang]

See this #31649 (comment)

[lunny]

I think many concern problems haven't been resolved and the issue itself is very complicated. I suggest close this pull request and stopping the bounty. Anyway, thank you for your contributions. @abhishek818

[wxiaoguang]

It needs to completely refactor the existing LDAP config related code, the key points (in my mind) could be:

1. use full LDAP URLs for servers, eg: ldap://server:port/, ldaps://server:port/, ldap+starttls://server:port/
2. keep backwards compatibility (eg: avoid changing unnecessary CLI arguments, could re-use/migrate existing LDAP server configs in database)

[lunny]

Given that this issue is far more complicated than we initially expected, it is not feasible to address it through the bounty program. Consequently, we have decided to remove it from the bounty list.

[wxiaoguang]

Inactive for long time and not that right (#31649 (comment))

Feel free to reopen if there would be new progress. Thank you very much.