LemonLDAP::NG and multiple LDAP servers

i think LemonLdap have updated a small item on their documentation, which i never saw before, and a qiestion i asked before


Can it be used to consolidate more than One Ldap servers.

More than one server can be set here separated by spaces or commas. They will be tested in the specified order.
What am curios though is, how does it handle port, and password fields for the multiple ldap/AD servers in this case…
unless someone has tested that scenario

LDAP has already built-in sync, same/similiar as AD.
All concerned servers have therefore exactly the same auth info.
Port? That’s defined: LDAPs uses port 636.

If one goes down, the others have the same info.

Consolidation does NOT imply consolidating “different” LDAP servers, that should be clear!

My 2 cents

according to the docs the ports can also be specified in the server host URI

so in the connection options


1 Like

You can also change ports eg for Apache / nGinx / IIS.

But: a web-page runs on port 80 or port 443, and NOTHING else.

Any “funky” port use for a web page will only result in not being available externally - most hotspots only allow these two ports.

And to be honest, there is no really legit need to use “funky” ports for anything which uses a so called “well known port”.
Anything else is just “security by obscurity” - or being a cheapskate trying to use one IP for something which would need more IPs…

My 2 cents

Am not sure i understand this statement with regards.
and what do you mean, already has sync in place.

But to make it clear, i meant two totally separate ldap servers, with different domain and differet set of users.

not necessary a backup/synced server.


I know you’ld like to have something which can do that for you…

But reality is another world.

Consolidating different LDAPs correctly entails a lot more work.

My 2 cents

:joy: :joy: :rofl: :rofl: maybe you should ask shared web hosting companies how they are able to keep the hosting costs low. its all about the ports…


This is pure BS.

Any hosted Webpage will use ports 80 and/or port 443…
Otherwise it’s not “Web-hosting”!!!

Very simple!

in my cases, i did not mean consolidation in the sense you understood. what i meant was. even if i have multiple Ldap servers, which have not correlation with one another.

then it would be possible to use the same Lemonldap installation, for SAML/Openid and the rest for Authentication on client apps,

rather than deploying separate Lemonldap instances in this case.

for most customer facing web pages, but not really for other stuff. the same way, you dont visit login-to-my-neth-server.com to access the Nethserver gui, as well as proxmox and other tools. they run on a different port, and its sometime for good cause and reason.

Most java systems, by default don’t use port 80, similar to Nodejs its not necessarily security by obscurity, but merely to avoid headache, conflicts and overheads.

1 Like

I know, and that would present you with MAJOR issues.

You’re only seeing the imagined savings trying save the very expensive software needed to consolidate different LDAPs (independent) like you imagine.

To make your system completly insecure, I’d just have to create the same user on both LDAP servers involved. LemonLDAP would not be able to differenciate.

So a “lesser” user would get elevated in permissions…

Your understanding of security is really “out of this world” and a bit too simplistic.

Comparing a “admin” page like Proxmox or any network printer is like comparing Apples with a meat pie. No webhoster offers these kinds of pages commercially!

These may use a browser to be accessed, but are NEVER considered as web-pages!

BS comparison, sorry!

Yes, but these are JAVA applications, not a webpage.
And where are these Java Apps viewed with? Yes, a reverse Proxy inserting the unaccessible Java into a common webpage, again running on ports 80 or 443.
If not, it’s not a web-page, but rather an administrative page…

And again, the main reason is it’s not easy to use a port <1024 for JAVA (These are well known ports…). The reason is security, as using ports <1024 means starting with root, not a good idea…

This would be an absolute security nightmare!!!

if you put it this way, it makes a lot of sense.

understandably, i have only about 6 year deploying systems to servers, while you have well over 20 years…

so cant argue with that.

But All these, begs a new Question.
Doesn’t or cant Lemonldap handle a case of similar username being used, i believe its a use case that they should and must have thought about when they were building the system.

because, while Ldap is one of the options, Lemondlap does offer multiple other options for backend authentication. and i think, they can all be used more than one at a time. so how does it handle this…

something to research.

No need to research this.

This can only work, when the “source” is defined.
So the user logging in to any interface using LemonLDAP has to exist only once in the global context.
A default could be LDAP, others would need to be specified.


User: oneitonitram (LDAP user oneitonitram)

User oneitonitram.oid (OpenID user oneitonitram)

These are only samples of how it could be done…
But it has to be absolutely clear for the system, which user is meant…

Something like


Think about mail and the typical webmaster mail account/user on a hosted public webserver.

Just using webmaster won’t work, the server can’t differenciate.


can easily be differenciated.

This has existed since over 30 years!

1 Like

security concerns aside the only way I think that would work is if the uid is mapped to say email (userPrincipalName)with different domains requiring the login to be user@domain.tld that said I’m not sure how you would define individual anonymous bind accounts (i.e.,ldapservice@domain.tld) and mail servers

but while security is definitely an issue I think the bigger issue would be availability if that server goes down and has say five ad set up thats five customers that would be mad

Email is workable, like my example with “webmaster”, but tends to be longer than a short additional identifier. Email is more common for general public, but in corporations often Division, Site are used.

That’s why one has several auth sources (all with the same content) for redundancy…

For 5 ADs, that’s at least 10 servers… :slight_smile:

1 Like

I mean don’t get me wrong I do see the perceived benefits of having it on one server but in practice I suppose it’s like having a long list as opposed to multiple it’s easy to add but takes longer to find certain things maybe bad analogy

is not really having any form of redundancy, better availability…

Sorry Shane, but here you sound like the typical Windows user, accostomed to Windows local search, not something like Google… Google will find anything from thousands, if not millions of sources…

The more common the name, the more “hits” you’ll get, true. Then again, you won’t find really many “real” John Does… :slight_smile:

But the thing is: the better the engine, the easier and faster the “search”…

Think of a really large company or corporation, with over 100’000 employees. Sure you’ll have one or more with the same names. No issues really. But all can eg log in to a “Intranet” site, and using SSO they’re then logged in (or “enabled”) on whatever internal sites they need to…

My 2 cents

1 Like


this is true but I should have phrased it like if you were writing a list on paper (can’t believe I said that :slightly_smiling_face: ) it’s seems easier to just add the next thing but if you get a list of lots of things it’s easier to have them organised in groups in the event you need to actually find the thing you wrote down

1 Like

That’s like looking for who uses a specific phone number - in an old style telephone book(s)…

Days? Weeks? Months? Years?

And just the country (eg India or China vs. Australia) could make years of difference…

Be glad we’re in the digital age! :slight_smile:

1 Like