Redundant Ldap Configuration + More groups

nikitha sumi.techno at gmail.com
Sat Feb 17 08:31:29 CET 2007 

Hi All,

Authentication takes more time when two ldap servers are configured ( for
redundancy ) and one is not reachable. I have configured the redundant ldap
module as specified in the doc.
authorize {
;;
;;
redundant {
ldap-server-1
ldap-server-2
}
}
authenticate {
;;
;;
Auth-Type ldap-server-1 {
                 ldap-server-1
}
Auth-Type ldap-server-2 {
               ldap-server-2
}
Auth-Type LDAP {
        redundant {
                   ldap-server-1
                   ldap-server-2
        }
}

The corresponding ldap-server module confiugration is,
ldap ldap-server-1 {
..
..
}
ldap ldap-server-2  {
..
..
}


1. In the users file, added some 20 DEFAULT entry for
ldap-server-1-Ldap-Group
for ex., DEFAULT ldap-server-1-Ldap-Group == "g1"

2. After that added 30 DEFAULT entry for ldap-server-2-Ldap-Group, each
DEFAULT entry is like,
DEFAULT ldap-server-2-Ldap-Group == "g21"
..
..
DEFAULT ldap-server-2-Ldap-Group == "g50"

The ldap-server-1 is down now. only ldap-server-2 is reachable.

When the request comes to the radius server, it goes one entry by entry in
"users" file, ie., It connects to ldap-server-1 with the Ldap-Group tries
from g1 till g20, and then connects to ldap-server-2 with Ldap-Group from
"g21' till g50. If the user is part of Ldap-group "g50" it takes more time
to return success, before itself the request times out, and received eap
start again from wireless client.

If the "number of DEFAULT entry for ldap-server-1" is less than 10, then it
works fine. If the default entry increases, the server takes more time to
process.

I think redundant ldap server configuration is not correct or in some
otherway we can fix it. Is it possible to configure the radius server in
such a way that, try ldap-server-1 for the first policy, if its reachable
then check it against the next policy.
If its not reachable mark this server as dead or whatever and ignore
processing the next coming DEFAULT entries which matches with  ldap-server-1
and try to process  ldap-server-2 entries.

Please help me in solving this issue. Thanks for any help.

Regards,
Nikitha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070217/530ecc04/attachment.html>

More information about the Freeradius-Users mailing list