I have an LDAP setup with
multiple module statements pointing to the
same LDAP server, but at
different OU's (referred to as sites) to get
around issues due to the
large tree size present. This is currently
working with the following
setup
radiusd.conf:
modules {
ldap srv1-sitea
{
..
set_auth_type
= yes
}
ldap srv1-siteb
{
..
set_auth_type
= yes
}
}
sites-available/default:
authorize {
srv1-sitea
srv1-siteb
}
authenticate {
Auth-Type
srv1-sitea {
srv1-sitea
}
Auth-Type srv1-siteb {
srv1-siteb
}
}
Now my goal is to make this
a redundant configuration. I have
duplicated my modules
config, changing "srv1" to "srv2" and changing the
IP address of the LDAP
server. The rest of the configuration is what is
fuzzy for me. I assume that
my authorize section would be:
authorize {
redundant {
srv1-sitea
srv2-sitea
}
redundant {
srv1-siteb
srv2-siteb
}
Now the authentication part
is where is becomes complicated. I don't
even know where to begin
with this. I tried this based on some old
configs I had used in the
past, but this failed miserably:
authenticate {
Auth-Type ldap {
group {
srv1-sitea {
reject = 1
ok = return
}
srv2-siteb {
reject = return
ok = return
}
}
}
I read the
"configurable failover" docs, but it is still not clear to me
what I would need to do in
this situation.
I am sure there is probably
an easy way to accomplish this so that for
each OU ("site")
it uses both LDAP servers ("srv1","srv2") in a
redundant fashion, but how
to do it is something I am having a heck of a
time figuring out.