Support multiple LDAP servers in a auth source

[abhishek818]

support multiple LDAP servers and add dialing timeout, also rename cli flag 'host' to 'host-list'.

closes #6898
/claim #6898

[abhishek818]

@techknowlogick @silverwind pls review.

[silverwind]

What happens if host 1 is down and host 2 is up? Will it wait for the 10 seconds timeout on host 1 until it contacts host 2?

[abhishek818]

What happens if host 1 is down and host 2 is up? Will it wait for the 10 seconds timeout on host 1 until it contacts host 2?

yes, unfortunately. I have searched, there seems to be no way around it.
But i guess it helps with providing ample timeout time for gracefully exit of connection. (for scenarios where say, 2 hosts are configured and both are down, The user again tries with the same 2 hosts within a small time frame. All dangling connections should have ended by then i.e. during the timeout duration)

also, 60 secs is by default, we are going with much lesser value.

[silverwind]

A common way to solve it would be to "race" the TCP connections, e.g. connect both at once and take first connection that connects (e.g. completes the handshake) and drop the others.

Given that this happens on TCP level, there's virtually zero impact on the LDAP servers as the connection attempt never reaches the application layer.

[abhishek818]

done, up for review.

[abhishek818]

@silverwind @techknowlogick bumping this for a review..

[abhishek818]

@silverwind could you please review?

[lunny]

Looks like the tests failure is related.

[abhishek818]

Looks like the tests failure is related.

@lunny @silverwind Up for review, fixed the integration test failures, all tests are green now.

[abhishek818]

@lunny hey can you pls review ?

[lunny]

@lunny hey can you pls review ?

Sorry for the late. I will review this one next week.

[lunny]

I think it's better to use a standalone function rather than a closure function.

[abhishek818]

agreed, refactored.

[abhishek818]

addressed review comment, up for review.

[lunny]

So all these hosts should have the same port?

[abhishek818]

@lunny damnn, thats a big miss on my part.

Can you help with if we should keep the config for each ldap host as below?

// HostConfig represents the configuration for a single LDAP host
type HostConfig struct {
	Host              string            // Hostname or IP address
	Port              uint16            // Port number
	SecurityProtocol  SecurityProtocol  // Security protocol (LDAP, LDAPS, StartTLS)
	SkipVerify        bool              // Whether to skip TLS certificate verification
	BindDN            string            // Bind DN
	BindPassword      string            // Bind password
	UserBase          string            // User search base
	GroupBase         string            // Group search base
	SearchPageSize    uint32            // Search page size
	Filter            string            // User search filter
	AdminFilter       string            // Admin filter
	RestrictedFilter  string            // Restricted user filter
}

// Source represents the overall LDAP service configuration
type Source struct {
	Name               string        // Canonical name (e.g., corporate.ad)
	Hosts              []HostConfig  // List of host configurations    <-----------------------------
	AttributeUsername  string        // Username attribute
	AttributeName      string        // First name attribute
	AttributeSurname   string        // Surname attribute
	AttributeMail      string        // Email attribute
	AttributeSSHPublicKey string     // SSH Public Key attribute
	AttributeAvatar    string        // Avatar attribute
	AttributesInBind   bool          // Fetch attributes in bind context
	GroupMemberUID     string        // Group attribute containing array of UserUID
	GroupTeamMap       string        // Map LDAP groups to teams
	GroupTeamMapRemoval bool         // Remove user from teams not in corresponding LDAP group
	UserUID            string        // User attribute listed in group
	SkipLocalTwoFA     bool          // Skip 2FA for this source
	authSource         *auth.Source  // Reference to the authSource
}

Further should we go the same approach for each config input value as a list of string separated commas for both cli and web (same as host address currently) ?