ldap redundant-load-balance issue

Brian Gold bgold at simons-rock.edu
Thu Apr 19 17:08:11 CEST 2012

> Thanks for that suggestion. Sounds quite simple to achieve fail-over for ldap-queries.
> But I have one problem when I enter my ldap servers like you mentioned because the common name in the ldap server certificate
> won't match the new defined dns name.
> I will test this scenario with the following configuration:
> server = "ldap1.test.local ldap2.test.local ldap3.test.local"
> Perhaps I can still use multiple ldap modules and adapt only the server directive of the last ldap module (or all ldap modules) in
> redundant-load-balance group to the format you have mentioned.
> I will test it tomorrow.
> Thanks for this idea!
> Regards,
> Tobias Hachmer

Just recently, I switched over from using a single openldap server to using a pair of multi-master openldap servers that sit behind
a third server running haproxy. There also a fourth server also running haproxy and keepalived to take over for the first haproxy
server should it fail. I then have my radius server doing its ldap queries through the haproxy so that if either of the ldap servers
go down, all queries will be automatically redirected to the other ldap server. This setup has been working quite well so far for
radius and for other products that don't handle redundant ldap servers well.


More information about the Freeradius-Users mailing list