Redundant ldap server with freeradius 1.0.5
- Hey All, I want to configure two ldap server's for fail over conditions. My configuration in the radiusd.conf is... ldap { redundant { ldap_primary ldap_secondary } } .... ldap_primary { .. .. } ldap_secondary { .. .. } .. When the server gets any access-request packet, it tries to connect to the secondary server. Even though the primary server is reachable, the secondary server is contacted first. How can i make the radius server to contact primary ldap server first & then the next ldap server ?? Am i missing any configuration?? Could please help me in this regard. Thanks in advance. Sumithra.
Hi Alan, Thanks for your earliest reply. Please find the attached configuration file for details & Let me know what is mis-configured. Thanks Sumithra. On 4/24/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
My configuration in the radiusd.conf is...
ldap { redundant {
Huh? The "redundant" section doesn't go into "ldap", it goes into "authorize".
Yes. The redundant ldap config goes into authorize module. Please look into the config file attached for detailed configuration. Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 4/24/06, sumi thra <sumi.techno@gmail.com> wrote:
Hi Alan,
Thanks for your earliest reply.
Please find the attached configuration file for details & Let me know what is mis-configured.
Config file : prefix = /usr exec_prefix = /usr sysconfdir = ${prefix}/etc localstatedir = /var sbindir = ${exec_prefix}/sbin logdir = /var/log/radius raddbdir = /var/etc/raddb radacctdir = ${logdir}/radacct confdir = ${raddbdir} run_dir = ${localstatedir}/run/radiusd log_file = ${logdir}/radius.log libdir = ${exec_prefix}/lib/radius pidfile = ${run_dir}/radiusd.pid max_request_time = 90 delete_blocked_requests = no cleanup_delay = 5 max_requests = 1024 #user = admin #group = users bind_address = * port = 0 hostname_lookups = no allow_core_dumps = no regular_expressions = yes extended_expressions = yes log_stripped_names = no log_auth = no log_auth_badpass = no log_auth_goodpass = no usercollide = no lower_user = no lower_pass = no nospace_user = no nospace_pass = no checkrad = ${sbindir}/checkrad security { max_attributes = 200 reject_delay = 1 status_server = no } proxy_requests = yes snmp = yes $INCLUDE ${confdir}/proxy.conf $INCLUDE ${confdir}/clients.conf $INCLUDE ${confdir}/snmp.conf thread pool { start_servers = 5 max_servers = 32 min_spare_servers = 3 max_spare_servers = 10 max_requests_per_server = 0 } modules { pap { encryption_scheme = clear } chap { authtype = CHAP } pam { pam_auth = radiusd } unix { cache = no cache_reload = 600 radwtmp = /var/log/radius/radwtmp } mschap { authtype = MS-CHAP #use_mppe = no #require_encryption = yes #require_strong = yes #with_ntdomain_hack = no } ldap ldap_primary { server = 1.1.1.1 port = 389 identity = "cn=Manager,o=My Org,c=INDIA" password = secret basedn = o=My Org,c=INDIA filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "dialupacces" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{SHA}" password_attribute = userPassword groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } ldap ldap_secondary { server = ldap.your.domain port = 389 identity = cn=admin,o=My Org,c=UA password = mypass basedn = o=My Org filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no access_attr = "dialupacces" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 #password_header = "{SHA}" password_attribute = userPassword groupname_attribute = cn groupmembership_filter = (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) groupmembership_attribute = radiusGroupName timeout = 4 timelimit = 3 net_timeout = 1 access_attr_used_for_allow = no } passwd etc_passwd { filename = /var/etc/passwd format = "*User-Name::User-Password" delimiter = : } passwd etc_group { filename = /var/etc/group format = "~Group-Name::*,User-Name" delimiter = : } realm suffix_oblic { format = suffix delimiter = / ignore_default = no ignore_null = no } realm prefix_oblic { format = prefix delimiter = / ignore_default = no ignore_null = no } realm suffix_at { format = suffix delimiter = @ ignore_default = no ignore_null = no } realm prefix_at { format = prefix delimiter = @ ignore_default = no ignore_null = no } realm suffix_percent { format = suffix delimiter = % ignore_default = no ignore_null = no } realm prefix_percent { format = prefix delimiter = % ignore_default = no ignore_null = no } checkval { item-name = Calling-Station-Id check-name = Calling-Station-Id data-type = string #notfound-reject = no } preprocess { huntgroups = ${confdir}/huntgroups hu_int32_ts = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } files { usersfile = ${confdir}/users acctusersfile = ${confdir}/acct_users compat = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/acct-%Y%m%d detailperm = 0666 } acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } radutmp { filename = /var/log/radius/radutmp username = %{User-Name} case_sensitive = yes check_with_nas = yes perm = 0600 callerid = yes } radutmp { filename = /var/log/radius/sradutmp perm = 0644 callerid = no } attr_filter { attrsfile = ${confdir}/attrs } counter daily { filename = ${raddbdir}/db.daily key = User-Name count-attribute = Acct-Session-Time reset = daily counter-name = Daily-Session-Time check-name = Max-Daily-Session allowed-servicetype = Framed-User cache-size = 5000 } always fail { rcode = fail } always reject { rcode = reject } always ok { rcode = ok simulcount = 0 mpp = no } expr { } digest { } exec { wait = yes input_pairs = request } exec echo { wait = yes program = "/bin/echo %{User-Name}" input_pairs = request output_pairs = reply } ippool main_pool { range-start = 192.168.1.1 range-stop = 192.168.3.254 netmask = 255.255.255.0 cache-size = 800 session-db = ${raddbdir}/db.ippool ip-index = ${raddbdir}/db.ipindex override = no maximum-timeout = 0 } $INCLUDE ${confdir}/eap.conf } instantiate { #exec #expr } authorize { preprocess #etc_passwd #etc_group chap mschap suffix_oblic prefix_oblic suffix_at prefix_at suffix_percent prefix_percent files redundant{ ldap_primary ldap_secondary } eap } authenticate { Auth-Type PAP { pap } Auth-Type CHAP { chap } Auth-Type MS-CHAP { mschap } Auth-Type LDAP { redundant { ldap_primary ldap_secondary } } #unix eap } preacct { preprocess acct_unique suffix_oblic files } accounting { detail #unix #radutmp } session { #radutmp } post-auth { } pre-proxy { } post_proxy { eap } Thanks
Sumithra.
On 4/24/06, Alan DeKok <aland@nitros9.org> wrote:
"sumi thra" <sumi.techno@gmail.com> wrote:
My configuration in the radiusd.conf is...
ldap { redundant {
Huh? The "redundant" section doesn't go into "ldap", it goes into "authorize".
Yes. The redundant ldap config goes into authorize module. Please look into the config file attached for detailed configuration.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (2)
-
Alan DeKok -
sumi thra