Load-balance and Auth-Type
Hi all I have this scenario: 2 radius servers must point to 2 ldap servers with a load-balancing and fault-tolerant configuration. I tried to implement this on one of the radius servers this way: modules { ldap ldap1 { ........... authtype = ldap #added later but seems not to work } ldap ldap2 { ........... authtype = ldap #added later but seems not to work } } authorize { preprocess load-balance { # between two redundant sections below redundant { ldap1 ldap2 } redundant { ldap2 ldap1 } } } authenticate { Auth-Type LDAP { load-balance { # between two redundant sections below redundant { ldap1 ldap2 } redundant { ldap2 ldap1 } } } but if i try to authenticate a user i see this in debug: rad_recv: Access-Request packet from host XXX.XXX.XXX.XXX:25702, id=169, length=77 User-Name = "XXXXXX" User-Password = "XXXXXX" NAS-IP-Address = XXX.XXX.XXX.XXX NAS-Identifier = "login" NAS-Port = 24677 NAS-Port-Type = Virtual Service-Type = Authenticate-Only Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering load-balance group for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for XXX radius_xlat: '(uid=XXX)' radius_xlat: 'dc=XXXXXXX,dc=XX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to XXX.XXX.XXX.XXX:389, authentication 0 rlm_ldap: bind as / to XXX.XXX.XXX.XXX:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=XXXXXXX,dc=XX, with filter (uid=XXX) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: Adding radiusServiceType as Service-Type, value Shell-User & op=11 rlm_ldap: extracted attribute Cisco-AVPair from generic item cisco-avpair="shell:priv-lvl=15" rlm_ldap: user futhwo authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap1" returns ok for request 0 modcall: leaving group redundant (returns ok) for request 0 modcall: load-balance group returns ok for request 0 modcall: leaving group authorize (returns ok) for request 0 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 169 to XXX.XXX.XXX.XXX port 25702 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 169 with timestamp 44212404 Nothing to do. Sleeping until we see a request. If i keep only 1 module,call it simply ldap and give up on load balancing everything works ok. How can i resolv this issue?
"Evil I_Am" <evil_ftw@hotmail.com> wrote:
I have this scenario: 2 radius servers must point to 2 ldap servers with a load-balancing and fault-tolerant configuration.
As of 1.1.0, you can do "reduntant-load-balance". See doc/configurable_failover. That makes the configuration a little easier.
authenticate { Auth-Type LDAP {
I'd suggest just listing "ldap1" and "ldap2". The authorization stage does most of the work, so load balancing is more important there. And as of 1.1.0, the modules will cause themselves to be selected in the "authenticate" section, too. So you leverage the authorize load balancing to do authentication load balancing. Alan DeKok.
participants (2)
-
Alan DeKok -
Evil I_Am