Redundant LDAP Servers
Jason Traeden
jtraeden at overstock.com
Fri May 2 17:26:57 CEST 2008
I am running freeradius version 2.0.4 and using LDAP against Active
Directory. When I have a single LDAP server setup my authentication works
great. I am having trouble using the redundant ldap settings.
Here is some config data
ldap ad01 {
server = ocdc01.overstock.com
port = 389
identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
password = xxxxxx
basedn = OU=OSTK_Accounts,DC=overstock,DC=com
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
#ldap_debug = 0xFFFF
}
ldap ad02 {
server = ocdc01.overstock.com
port = 389
identity = "CN=LDAP
Bind,OU=Special,OU=OSTK_Accounts,DC=overstock,DC=com"
password = xxxxxx
basedn = OU=OSTK_Accounts,DC=overstock,DC=com
filter =
"(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(objectClass=person))
"
ldap_connections_number = 5
timeout = 40
timelimit = 30
net_timeout = 10
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter
="(|(&(objectClass=group)(member=%{control:Ldap-UserDn}))(&(objec
tClass=top)(uniquemember=%{control:Ldap-UserDn})))"
groupmembership_attribute = memberOf
#ldap_debug = 0xFFFF
}
instantiate {
exec
expr
expiration
logintime
ldap
ad01
ad02
}
authorize {
preprocess
redundant {
ad01 {
fail = 1
ok = return
}
ad02 {
fail = 1
ok = return
}
}
files
expiration
logintime
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
redundant {
ad01 {
fail = 1
ok = return
}
ad02 {
fail = 1
ok = return
}
}
}
}
DEFAULT Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag = 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
DEFAULT ad01-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag = 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
DEFAULT ad02-Ldap-Group ==
"CN=g.acl.neteng,OU=Groups,OU=OSTK_Accounts,DC=overstock,DC=com"
Auth-Type := Accept,
Foundry-Privilege-Level = 0,
Foundry-Command-String = *,
Foundry-Command-Exception-Flag = 0,
Foundry-INM-Privilege = 15,
Fall-Through = No
Here is some debug info
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad02-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad02-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad02
rlm_ldap: Over-riding set_auth_type, as there is no module ad02 listed in
the "authenticate" section.
rlm_ldap: Registering ldap_groupcmp for Ldap-Group
rlm_ldap: Creating new attribute ad01-Ldap-Group
rlm_ldap: Registering ldap_groupcmp for ad01-Ldap-Group
rlm_ldap: Registering ldap_xlat with xlat_name ad01
rlm_ldap: Over-riding set_auth_type, as there is no module ad01 listed in
the "authenticate" section.
auth: No authenticate method (Auth-Type) configuration found for the
request: Rejecting the user
auth: Failed to validate the user.
Thanks
Jason
--
Jason Traeden
Network Engineer
Overstock.com
6350 South 3000 East
Salt Lake City, UT 84121
jtraeden at overstock.com
Desk 801-947-3889
Cell 801-699-1379
More information about the Freeradius-Users
mailing list