|
I have an LDAP setup with
multiple module statements pointing to the same LDAP server, but at
different OU's (referred to as sites) to get around issues due to the
large tree size present. This is currently working with the following
setup radiusd.conf: modules { ldap srv1-sitea
{ .. set_auth_type
= yes } ldap srv1-siteb
{ .. set_auth_type
= yes } } sites-available/default: authorize { srv1-sitea srv1-siteb } authenticate { Auth-Type
srv1-sitea { srv1-sitea } Auth-Type srv1-siteb { srv1-siteb } } Now my goal is to make this
a redundant configuration. I have duplicated my modules
config, changing "srv1" to "srv2" and changing the IP address of the LDAP
server. The rest of the configuration is what is fuzzy for me. I assume that
my authorize section would be: authorize { redundant { srv1-sitea srv2-sitea } redundant {
srv1-siteb srv2-siteb } Now the authentication part
is where is becomes complicated. I don't even know where to begin
with this. I tried this based on some old configs I had used in the
past, but this failed miserably: authenticate { Auth-Type ldap {
group { srv1-sitea { reject = 1 ok = return
} srv2-siteb { reject = return ok = return
}
} } I read the
"configurable failover" docs, but it is still not clear to me what I would need to do in
this situation. I am sure there is probably
an easy way to accomplish this so that for each OU ("site")
it uses both LDAP servers ("srv1","srv2") in a redundant fashion, but how
to do it is something I am having a heck of a time figuring out. |