I have an LDAP setup with multiple module statements
pointing to the same LDAP server, but at different OU’s (referred to as
sites) to get around issues due to the large tree size present. This is
currently working with the following setup
radiusd.conf:
modules {
ldap
srv1-sitea {
..
set_auth_type
= yes
}
ldap
srv1-siteb {
..
set_auth_type
= yes
}
}
sites-available/default:
authorize {
srv1-sitea
srv1-siteb
}
authenticate {
Auth-Type
srv1-sitea {
srv1-sitea
}
Auth-Type srv1-siteb {
srv1-siteb
}
}
Now my goal is to make this a redundant configuration.
I have duplicated my modules config, changing “srv1” to “srv2”
and changing the IP address of the LDAP server. The rest of the
configuration is what is fuzzy for me. I assume that my authorize section
would be:
authorize {
redundant
{
srv1-sitea
srv2-sitea
}
redundant
{
srv1-siteb
srv2-siteb
}
Now the authentication part is where is becomes complicated.
I don’t even know where to begin with this. I tried this based on
some old configs I had used in the past, but this failed miserably:
authenticate {
Auth-Type ldap {
group {
srv1-sitea {
reject = 1
ok = return
}
srv2-siteb {
reject = return
ok = return
}
}
}
I read the “configurable failover” docs, but it
is still not clear to me what I would need to do in this situation.
I am sure there is probably an easy way to accomplish this
so that for each OU (“site”) it uses both LDAP servers (“srv1”,”srv2”)
in a redundant fashion, but how to do it is something I am having a heck of a
time figuring out.