FreeRADIUS v1.0.4, rlm_ldap module, and redundancy

[Zawacki Jason D Ctr AFRL/IFOS]

Thanks Dusty.  I just implemented your suggestions and it's working very
well.

Once again I am pleasantly surprised by the flexibility of FreeRADIUS.
Great job!

Jason

> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org 
> [mailto:freeradius-users-bounces at lists.freeradius.org] On 
> Behalf Of Dusty Doris
> Sent: Wednesday, July 13, 2005 4:53 PM
> To: FreeRadius users mailing list
> Subject: RE: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy 
> 
> > >
> > >   You're using the LDAP-Group attribute, which is set to use svr1,
> > > which is down.  There's currently no fail-over for the LDAP-Group
> > > attribute.
> > >
> >
> > I dig, that's kind of what I thought (even if I didn't word 
> it correctly).
> > Thanks for your help!
> >
> 
> You can simulate redundancy for the Ldap-Group attribute, by 
> doing this.
> 
> Instantiate your ldap modules in radiusd.conf.
> 
> instantiate {
>   srv1
>   srv2
>   srv3
> }
> 
> In users file, add multiple lines of the same ldap-group 
> lookup, for each
> srv.
> 
> For example, say you must have ldap-group of dial if coming 
> from a dial
> huntgroup.
> 
> DEFAULT Huntgroup-Name == dial, srv1-Ldap-Group == dial
> 
> DEFAULT Huntgroup-Name == dial, srv2-Ldap-Group == dial
> 
> DEFAULT Huntgroup-Name == dial, srv3-Ldap-Group == dial
> 
> What will happen is if the huntgroup matches, then the server 
> will lookup
> on the srv1 instance if ldap-group = dial.  If so, it matches and the
> users file ends.  If not, it continues down the file, where 
> it will then
> try srv2.  If that fails, it continues to srv3.
> 
> So, if one and two are down, then this will require 3 
> different lookups to
> finally get to srv3, but it will provide you with some type 
> of redundancy.
> 
> 
> 
> - 
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html
>