Hello, i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? These are my current Settings: /etc/freeradius/modules/ldap: ldap ldap1 { server = "serv01.xyz.local" basedn = "dc=xyz,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } ldap ldap2 { server = "serv02.xyz.local" basedn = "dc=xyz,dc=local" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no keepalive { # LDAP_OPT_X_KEEPALIVE_IDLE idle = 60 # LDAP_OPT_X_KEEPALIVE_PROBES probes = 3 # LDAP_OPT_X_KEEPALIVE_INTERVAL interval = 3 } } /etc/samba/smb.conf: [global] workgroup = XYZ dns proxy = no security = ads password server = serv01.xyz.local password server = serv02.xyz.local winbind separator = + /etc/freeradius/sites-enabled/inner-tunnel: authenticate { ntlm_auth … /etc/freeradius/sites-enabled/default: authenticate { ntlm_auth … /etc/freeradius/users: DEFAULT Auth-Type = ntlm_auth Thanks for Help! BeliarsFire
On 12 Sep 2013, at 15:47, Kevin Bigalke <beliarsfire@outlook.com> wrote:
Hello, i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: *Click*. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server? These are my current Settings:
ldap { server = "serv01.xyz.local,serv02.xyz.local" ... } libldap handles failover. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Kevin Bigalke wrote:
i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with 802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want to add a second LDAP-Server for a Fail Over. I`m following the Tutorials to setup my Freeradius Server: **Click <http://deployingradius.com/>**. I`cant find a suitable Tutorial to adding a second LDAP Server for a Fail Over. Which files are responsible for the integration of a second LDAP server?
raddb/modules/ldap
These are my current Settings:
That seems reasonable.
*/etc/samba/smb.conf*:
Which largely doesn't matter for FreeRADIUS.
*/etc/freeradius/sites-enabled/inner-tunnel:*
authenticate { ntlm_auth
So... you're not using LDAP. Let's start from the beginning. What, exactly are you trying to do? What have you done? Why did you think that would work? Be specific. In short, you *can't* do LDAP fail-over if you're using ntlm_auth. That's because ntlm_auth interacts with Samba. And you have *no* LDAP configuration in the "authorize" section. And Samba takes care of Samba-related fail-overs, so LDAP isn't necessary. It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere. Alan DeKok.
It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere.
Not true, they make these awesome little fold up bikes you can chuck in the back of the plane. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
On 12 Sep 2013, at 16:29, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
It's like you're asking for flying lessons, and showing up with a bicycle. There's a bit of a disconnect somewhere.
Not true, they make these awesome little fold up bikes you can chuck in the back of the plane.
Still trying to come up with a justification for an rlm_avionics module. Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
Hi Alan, i would like to imagine a second LDAP Server for a Failover. I want to implent my Windows LDAP Server for Authentification via WLAN. The login on LDAP1 works, but when i`m blocking the first LDAP1 Server with the Iptable-Command, the connection to the Failover Server, LDAP2, couldn`t etablished. I`m following this Tutorial: *Click* -> I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m configured Freeradius to use ntlm_auth > This was obviousy wrong, cause i want to implement LDAP-Severs. But this Configuration still works with one LDAP Server without a second Failover Server. (At least, the login via WLAN with LDAP Authentification data works.). This are the files, which i`d edit: /etc/freeradius/users DEFAULT Auth-Type = ntlm_auth # > Change it to LDAP, right? .... /etc/freeradius/radiusconf ... # Did i need these Settings in this Version? redundant { ldap1 ldap2 handled } } /etc/freeradius/sites-enabled/inner-tunnel ... authenticate { ntlm_auth # Change it to LDAP, right? ... I`m editing this file, after your Post: /etc/freeradius/users DEFAULT Auth-Type = ldap .... After changing, I`m getting this Error: /etc/freeradius/users[1]: Parse error (check) for entry DEFAULT: Unknown value ldap for attribute Auth-Type So, ldap isn`t possible as Auth-Type? Which one i`must using? /etc/freeradius/sites-enabled/inner-tunnel ... authenticate { ldap ... Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be aware of all functions of Freeradius and Linux.
Beliars Fire wrote:
-> I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m configured Freeradius to use ntlm_auth > This was obviousy wrong, cause i want to implement LDAP-Severs.
Please, don't think you're smarter than people with decades more experience than you. It's not polite. Follow the instructions in the web page. Why? Because they work. If you get rid of ntlm_auth, then your users won't be able to authenticate using 802.1X.
DEFAULT Auth-Type = ntlm_auth /# > Change it to LDAP, right?/
No. Follow the web page. If you're not going to follow instructions, then there's no point in asking questions on this list.
... /# Did i need these Settings in this Version?/
No.
*/etc/freeradius/sites-enabled/inner-tunnel* ... authenticate { ntlm_auth /# Change it to LDAP, right?/
No.
...
_I`m editing this file, after your Post:_
*/etc/freeradius/users*
DEFAULT Auth-Type = ldap
No.
/After changing, I`m getting this Error:/ //etc/freeradius/users[1]: Parse error (check) for entry DEFAULT: Unknown value ldap for attribute Auth-Type / /So, ldap isn`t possible as Auth-Type? Which one i`must using?/
It's possible. But it won't work for you. So don't do it.
Thanks for Help! I´m working with Linux since 4 weeks, so its hard to be aware of all functions of Freeradius and Linux.
It's dead simple. Follow the web page. It has step by step instructions for how to get it to work. The instructions are correct. Anyone who knows how to use a text editor can follow them. The point of documentation is so non-experts can get things done. If you're going to ignore the documentation, then you're on your own. Alan DeKok.
Hi While I generally chime in with Alan's later message, one important you should start reading about and differentiating is Authentication and Authorization (the later is Accounting of AAA with RADIUS). While you can do Authorization using LDAP with AD, you can't do the Authentication part using LDAP against AD. Using Samba and ntlm_auth is the way to go, that due to to how AD stores passwords. Read deployingradius.com, specially the compatibility matrix and "Authentication Systems and Password Compatibility". You may do LDAP load balancing on the authorization part, but ntlm_auth and balancing / failover is done by Samba. Otherwise if you want to go deeper, get a RADIUS book :-) I can confirm that the initial curve may be a bit steep if you haven't done any RADIUS before, but it's well worth since it gets you better overall understanding on AAA and RADIUS, that will definitely help if something goes belly up. -- Mathieu
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Beliars Fire -
Kevin Bigalke -
Mathieu Simon