I have an LDAP setup with multiple module statements pointing to the same LDAP server, but at different OU's (referred to as sites) to get around issues due to the large tree size present. This is currently working with the following setup radiusd.conf: modules { ldap srv1-sitea { .. set_auth_type = yes } ldap srv1-siteb { .. set_auth_type = yes } } sites-available/default: authorize { srv1-sitea srv1-siteb } authenticate { Auth-Type srv1-sitea { srv1-sitea } Auth-Type srv1-siteb { srv1-siteb } } Now my goal is to make this a redundant configuration. I have duplicated my modules config, changing "srv1" to "srv2" and changing the IP address of the LDAP server. The rest of the configuration is what is fuzzy for me. I assume that my authorize section would be: authorize { redundant { srv1-sitea srv2-sitea } redundant { srv1-siteb srv2-siteb } Now the authentication part is where is becomes complicated. I don't even know where to begin with this. I tried this based on some old configs I had used in the past, but this failed miserably: authenticate { Auth-Type ldap { group { srv1-sitea { reject = 1 ok = return } srv2-siteb { reject = return ok = return } } } I read the "configurable failover" docs, but it is still not clear to me what I would need to do in this situation. I am sure there is probably an easy way to accomplish this so that for each OU ("site") it uses both LDAP servers ("srv1","srv2") in a redundant fashion, but how to do it is something I am having a heck of a time figuring out.
Capelle, Mark (PCMC-GB) wrote:
Now the authentication part is where is becomes complicated.
Nope. Just list "srv1-sitea" and "srv1-siteb" in the authenticate section. If the server is up (and was used) for the authorize query, it had better be up for the authentication portion.
I am sure there is probably an easy way to accomplish this so that for each OU ("site") it uses both LDAP servers ("srv1","srv2") in a redundant fashion, but how to do it is something I am having a heck of a time figuring out.
You do not want to do redundancy AND redundancy. That's redundant. Just do one level of redundancy, in the "authorize" section. The correct module will then be picked for the "authenticate" section. There's no need to set up another level of redundancy. Alan DeKok.
participants (2)
-
Alan DeKok -
Capelle, Mark (PCMC-GB)