1 freeradius with 2 openldap (multi master)

François Mehault Francois.Mehault at netplus.fr
Fri May 29 16:58:04 CEST 2009 

I did the same test but I swaped the order of ldap modules in /site-available/default

Redundant {
        Ldapbackup
          Ldapmaster
}

and authorize section :

Auth-Type LDAP {
        redundant {
                    Ldapbackup
                    Ldapmaster
        }
}

And now, if I start radiusd and slapd on server A and not on server B, it works. And if I stop slapd on server A, and start slapd on server B, it doesn't work. It's maybe a lead...



-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de François Mehault
Envoyé : vendredi 29 mai 2009 16:23
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)

Well, I fact I have two servers: A and B.

A has freeradius + openldap

B has openldap bacukp

So on server A, I put in /site-available/default:

In authentication section :

Redundant {
        Ldapmaster
        Ldapbackup
}

and authorize section :

Auth-Type LDAP {
        redundant {
                Ldapmaster
                Ldapbackup
        }
}

Modelue Ldapmaster has attribute server="127.0.0.1", and Ldapbackup has attribute server="192.168.x.x" (Ip of server B)

Well, If I shutdown my openldap on server A, freeradius on server A will discuss with openldap on server B, and it works perfectly !

[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
        Reply-Message = "Utilisateur: fmehault, group: Administrateur"
        Cisco-AVPair = "shell:priv-lvl=15"
        Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.




Another test, I stop daemon openldap on server B and start openldap on server A, so I imagine my freeradius will discuss with openldap on server A. But PB :

[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.



My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can see in the log, I am succesfully authenticated, And freeradius send me Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???

On cisco:

User Access Verification

Username: fmehault
Password:
% Authorization failed.


My two ldaps are both striclty the same, it's sur because if I don't use unlang redundant, it works.

Someone has an idea ??

Thanks for your help,

Regards,

François


-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)

redundant-load-balance {
                        ldap1     # 50%, unless ldap2 is down, then 100%
                        ldap2     # 50%, unless ldap1 is down, then 100%
                   }


Seems perfect, thanks a lot !

-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)

François Mehault wrote:
> And in my site-available/default I load the two modules. If my two
> openldap are alive, authentication succeed, but if one of them fall,
> authentication failed, so like this I have a « AND » between modules,
> and not a « OR » like I would. I don’t know if I am really clear, i
> don’t speak very well, sorry.

$ man unlang

  Look for "redundant"

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list