FreeRADIUS v1.0.4, rlm_ldap module, and redundancy

Dusty Doris freeradius at
Wed Jul 13 22:53:24 CEST 2005

> >
> >   You're using the LDAP-Group attribute, which is set to use svr1,
> > which is down.  There's currently no fail-over for the LDAP-Group
> > attribute.
> >
> I dig, that's kind of what I thought (even if I didn't word it correctly).
> Thanks for your help!

You can simulate redundancy for the Ldap-Group attribute, by doing this.

Instantiate your ldap modules in radiusd.conf.

instantiate {

In users file, add multiple lines of the same ldap-group lookup, for each

For example, say you must have ldap-group of dial if coming from a dial

DEFAULT Huntgroup-Name == dial, srv1-Ldap-Group == dial

DEFAULT Huntgroup-Name == dial, srv2-Ldap-Group == dial

DEFAULT Huntgroup-Name == dial, srv3-Ldap-Group == dial

What will happen is if the huntgroup matches, then the server will lookup
on the srv1 instance if ldap-group = dial.  If so, it matches and the
users file ends.  If not, it continues down the file, where it will then
try srv2.  If that fails, it continues to srv3.

So, if one and two are down, then this will require 3 different lookups to
finally get to srv3, but it will provide you with some type of redundancy.

More information about the Freeradius-Users mailing list