ldap module for user and mac authentication
Dave Macias
davama at gmail.com
Wed Aug 8 21:57:36 CEST 2018
>
> Maybe I missed something in the thread. But I understand '"live" LDAP
> server' that you want to know which LDAP server behind connection
> pooling, load-balancer or similar was really reached.
>
> For this particular case I always I add the service FQDN of a particular
> (OpenLDAP) instance to be readable via LDAP, e.g. in the rootDSE. So a
> LDAP client can find out to which particular instance it connected even
> though it does not control the fail-over.
>
Thank you Michael for the input! That was a good idea!
I've got it to work using the ldap SRV, which has multiple ldap servers but
using the `ldapsearch` command
MASTER:
> sites-enabled/default
*authorize {*
*....*
*ldap {*
*fail =1*
*}*
*if (fail) {*
*do_not_respond*
*}*
*if (&NAS-Port-Type == "Ethernet" && &Calling-Station-Id) {*
*rewrite_calling_station_id*
*# this method was always TRUE even if the ldap server was dead*
*#if
(!"%{ldap:ldap://master1/ou=%{client:shortname},ou=macs,dc=datacom,dc=net?cn?sub?(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))}")
{*
*if `/usr/bin/ldapsearch -x -H "ldap:///dc=test.my.org.net
<http://test.my.org.net>" -b
"ou=%{client:shortname},ou=macs,dc=myorg,dc=net"
"(&(objectClass=ieee802Device)(macAddress=%{Calling-Station-Id}))"` {*
*update {*
*control:Auth-Type := Accept*
*}*
*}*
*else {*
*reject*
*}*
SLAVE:
*(no change)*
At least with my setup, if all ldap were dead the 'fail = 1' would never
allow to reach 'if NAS' where my ldapsearch is. But if 'fail /= 1', even if
only 1 master ldap server is alive, then the ldapsearch would use the
'live' ldap server. (note: my ldap module has configured the IPs of the
same ldap masters the SRV record resolves to) (note2: I flip the logic of
'if ldapsearch' vs 'if (!"%{ldap:ldap//...}')
I could not find a way to use the '{ldap:ldap:///_ldap_srv_record...}'
method, since i needed to do a subsearch.
This of course makes three programs work together instead of two.
(openldap + freeradius + dns). Would have been nicer to have just 2
dependents. But it is neat! Guess depends on your how you want to set it up.
Going to try having the SRV record on the ldap module :D
Thank you very much for the help!
-dave
More information about the Freeradius-Users
mailing list