Complex redundant ldap setup
Capelle, Mark (PCMC-GB)
Mark.Capelle at pcmc.com
Tue Feb 26 21:33:55 CET 2008
I have an LDAP setup with multiple module statements pointing to the
same LDAP server, but at different OU's (referred to as sites) to get
around issues due to the large tree size present. This is currently
working with the following setup
radiusd.conf:
modules {
ldap srv1-sitea {
..
set_auth_type = yes
}
ldap srv1-siteb {
..
set_auth_type = yes
}
}
sites-available/default:
authorize {
srv1-sitea
srv1-siteb
}
authenticate {
Auth-Type srv1-sitea {
srv1-sitea
}
Auth-Type srv1-siteb {
srv1-siteb
}
}
Now my goal is to make this a redundant configuration. I have
duplicated my modules config, changing "srv1" to "srv2" and changing the
IP address of the LDAP server. The rest of the configuration is what is
fuzzy for me. I assume that my authorize section would be:
authorize {
redundant {
srv1-sitea
srv2-sitea
}
redundant {
srv1-siteb
srv2-siteb
}
Now the authentication part is where is becomes complicated. I don't
even know where to begin with this. I tried this based on some old
configs I had used in the past, but this failed miserably:
authenticate {
Auth-Type ldap {
group {
srv1-sitea {
reject = 1
ok = return
}
srv2-siteb {
reject = return
ok = return
}
}
}
I read the "configurable failover" docs, but it is still not clear to me
what I would need to do in this situation.
I am sure there is probably an easy way to accomplish this so that for
each OU ("site") it uses both LDAP servers ("srv1","srv2") in a
redundant fashion, but how to do it is something I am having a heck of a
time figuring out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20080226/65efd65c/attachment.html>
More information about the Freeradius-Users
mailing list