Redundant LDAP Servers

Jason Traeden jtraeden at overstock.com
Fri May 2 17:26:57 CEST 2008


I am running freeradius version 2.0.4 and using LDAP against Active
Directory. When I have a single LDAP server setup my authentication works
great. I am having trouble using the redundant ldap settings.

Here is some config data

    ldap ad01 {
        server = ocdc01.overstock.com
        port = 389
        identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
        password = xxxxxx
        basedn = OU=OSTK_Accounts,DC=overstock,DC=com
        filter = 
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
        ldap_connections_number = 5
        timeout = 40
        timelimit = 30
        net_timeout = 10
        tls {
            start_tls = no
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
         groupname_attribute = cn
        groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = memberOf
        #ldap_debug = 0xFFFF
    }

    ldap ad02 {
        server = ocdc01.overstock.com
        port = 389
        identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
        password = xxxxxx
        basedn = OU=OSTK_Accounts,DC=overstock,DC=com
        filter = 
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
        ldap_connections_number = 5
        timeout = 40
        timelimit = 30
        net_timeout = 10
        tls {
            start_tls = no
        }
        dictionary_mapping = ${confdir}/ldap.attrmap
        edir_account_policy_check = no
         groupname_attribute = cn
        groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
        groupmembership_attribute = memberOf
        #ldap_debug = 0xFFFF
    }


instantiate {
    exec
    expr
    expiration
    logintime
    ldap
    ad01
    ad02
}


authorize {
    preprocess
    redundant {
        ad01 {
            fail = 1
            ok = return
        }
        ad02 {
            fail = 1
            ok = return
        }
    }
    files
    expiration
    logintime
    pap
}

authenticate {
    Auth-Type PAP {
        pap
    }

    Auth-Type LDAP {
        redundant {
            ad01 {
                fail = 1
                ok = return
            }
            ad02 {
                fail = 1
                ok = return
            }
            }
    }
}

DEFAULT Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
    Auth-Type := Accept,
    Foundry-Privilege-Level = 0,
    Foundry-Command-String = *,
    Foundry-Command-Exception-Flag    = 0,
    Foundry-INM-Privilege = 15,
    Fall-Through = No

DEFAULT ad01-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
    Auth-Type := Accept,
    Foundry-Privilege-Level = 0,
    Foundry-Command-String = *,
    Foundry-Command-Exception-Flag    = 0,
    Foundry-INM-Privilege = 15,
    Fall-Through = No

DEFAULT ad02-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
    Auth-Type := Accept,
    Foundry-Privilege-Level = 0,
    Foundry-Command-String = *,
    Foundry-Command-Exception-Flag    = 0,
    Foundry-INM-Privilege = 15,
    Fall-Through = No



Here is some debug info

rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad02-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad02-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad02
rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in
the "authenticate" section.


rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad01-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad01-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad01
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in
the "authenticate" section.


auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.


Thanks

Jason

-- 
Jason Traeden
Network Engineer
Overstock.com
6350 South 3000 East
Salt Lake City, UT  84121

jtraeden at overstock.com
Desk 801-947-3889
Cell 801-699-1379





More information about the Freeradius-Users mailing list