FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Dusty Doris
freeradius at mail.doris.cc
Wed Jul 13 22:53:24 CEST 2005
> >
> > You're using the LDAP-Group attribute, which is set to use svr1,
> > which is down. There's currently no fail-over for the LDAP-Group
> > attribute.
> >
>
> I dig, that's kind of what I thought (even if I didn't word it correctly).
> Thanks for your help!
>
You can simulate redundancy for the Ldap-Group attribute, by doing this.
Instantiate your ldap modules in radiusd.conf.
instantiate {
srv1
srv2
srv3
}
In users file, add multiple lines of the same ldap-group lookup, for each
srv.
For example, say you must have ldap-group of dial if coming from a dial
huntgroup.
DEFAULT Huntgroup-Name == dial, srv1-Ldap-Group == dial
DEFAULT Huntgroup-Name == dial, srv2-Ldap-Group == dial
DEFAULT Huntgroup-Name == dial, srv3-Ldap-Group == dial
What will happen is if the huntgroup matches, then the server will lookup
on the srv1 instance if ldap-group = dial. If so, it matches and the
users file ends. If not, it continues down the file, where it will then
try srv2. If that fails, it continues to srv3.
So, if one and two are down, then this will require 3 different lookups to
finally get to srv3, but it will provide you with some type of redundancy.
More information about the Freeradius-Users
mailing list