ldap redundant-load-balance issue
Tobias Hachmer
lists at kokelnet.de
Thu Apr 19 16:55:13 CEST 2012
Am 19.04.2012 15:46, schrieb Brian Julin:
> Create a single RRDNS entry for your LDAP servers and use a single
> LDAP definition. The DNS name(s) in the LDAP definition is sent to
> directly to the underlying LDAP library and should be looked up for
> each connection instantiated; FreeRADIUS does not resolve it
> internally before use, even when using LDAPS.
>
> You can also enter the RRDNS entry multiple times in a space
> separated string, which should allow for statistically probable
> failover, e.g.:
>
> ldap rrdns_ldap {
> # If 1/2 servers are down this should only fail 1/8th of the time
> server = "ldap.rrnds.site ldap.rrdns.site ldap.rrdns.site"
> ...
> }
Thanks for that suggestion. Sounds quite simple to achieve fail-over
for ldap-queries.
But I have one problem when I enter my ldap servers like you mentioned
because the common name in the ldap server certificate won't match the
new defined dns name.
I will test this scenario with the following configuration:
server = "ldap1.test.local ldap2.test.local ldap3.test.local"
Perhaps I can still use multiple ldap modules and adapt only the server
directive of the last ldap module (or all ldap modules) in
redundant-load-balance group to the format you have mentioned.
I will test it tomorrow.
Thanks for this idea!
Regards,
Tobias Hachmer
More information about the Freeradius-Users
mailing list