Redundant Ldap Configuration + More groups
nikitha
sumi.techno at gmail.com
Fri Feb 16 11:53:02 CET 2007
Hi All,
Authentication take more time when 2 ldap servers are configured and one is
not reachable. I have configured the redundant ldap module as specified in
the doc.
authorize {
;;
;;
redundant {
ldap-server-1
ldap-server-2
}
}
authenticate {
;;
;;
Auth-Type LDAP {
redundant {
ldap-server-1
ldap-server-2
}
}
The corresponding ldap-server module confiugration is,
ldap ldap-server-1 {
..
..
}
ldap ldap-server-2 {
..
..
}
1. In the users file, added some 20 DEFAULT entry for
ldap-server-1-Ldap-Group
for ex., DEFAULT ldap-server-1-Ldap-Group == "g1"
2. After that added 30 DEFAULT entry for ldap-server-2-Ldap-Group, each
DEFAULT entry is like,
DEFAULT ldap-server-2-Ldap-Group == "g21"
..
..
DEFAULT ldap-server-2-Ldap-Group == "g50"
The ldap-server-1 is down now. only ldap-server-2 is reachable.
When the request comes to the radius server, it goes one entry by entry in
"users" file, ie., It connects to ldap-server-1 with the Ldap-Group tries
from g1 till g20, and then connects to ldap-server-2 with Ldap-Group from
"g21' till g50. If the user is part of Ldap-group "g50" it takes more time
to return success, before itself the request times out, and received eap
start again from wireless client.
If the "number of DEFAULT entry for ldap-server-1" is less than 10, then it
works fine. If the default entry increases, the server takes more time to
process.
I think redundant ldap server configuration is not correct or in some
otherway we can fix it. Is it possible to configure the radius server in
such a way that, try ldap-server-1 for the first policy, if its reachable
then check it against the next policy.
If its not reachable mark this server as dead or whatever and ignore
processing the next coming DEFAULT entries which matches with ldap-server-1
and try to process ldap-server-2 entries.
Please help me in solving this issue. Thanks for any help.
Regards,
Nikitha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20070216/e26ebae9/attachment.html>
More information about the Freeradius-Users
mailing list