1 freeradius with 2 openldap (multi master)
François Mehault
Francois.Mehault at netplus.fr
Fri May 29 16:58:04 CEST 2009
I did the same test but I swaped the order of ldap modules in /site-available/default
Redundant {
Ldapbackup
Ldapmaster
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapbackup
Ldapmaster
}
}
And now, if I start radiusd and slapd on server A and not on server B, it works. And if I stop slapd on server A, and start slapd on server B, it doesn't work. It's maybe a lead...
-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de François Mehault
Envoyé : vendredi 29 mai 2009 16:23
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
Well, I fact I have two servers: A and B.
A has freeradius + openldap
B has openldap bacukp
So on server A, I put in /site-available/default:
In authentication section :
Redundant {
Ldapmaster
Ldapbackup
}
and authorize section :
Auth-Type LDAP {
redundant {
Ldapmaster
Ldapbackup
}
}
Modelue Ldapmaster has attribute server="127.0.0.1", and Ldapbackup has attribute server="192.168.x.x" (Ip of server B)
Well, If I shutdown my openldap on server A, freeradius on server A will discuss with openldap on server B, and it works perfectly !
[Ldapbackup] user fmehault authenticated succesfully
++[ Ldapbackup] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 93 to 192.168.0.50 port 1812
Reply-Message = "Utilisateur: fmehault, group: Administrateur"
Cisco-AVPair = "shell:priv-lvl=15"
Service-Type = NAS-Prompt-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 93 with timestamp +11
Ready to process requests.
Another test, I stop daemon openldap on server B and start openldap on server A, so I imagine my freeradius will discuss with openldap on server A. But PB :
[Ldapmaster] user fmehault authenticated succesfully
+++[ Ldapmaster] returns ok
++- policy redundant returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 94 to 192.168.0.50 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 94 with timestamp +10
Ready to process requests.
My NAS is Cisco Catalyst 2950, and I use radius VSA Cisco-AVPair. As you can see in the log, I am succesfully authenticated, And freeradius send me Access-Accept, without Raply-Message, Cisco-AVPair, Service-Type ... Why ???
On cisco:
User Access Verification
Username: fmehault
Password:
% Authorization failed.
My two ldaps are both striclty the same, it's sur because if I don't use unlang redundant, it works.
Someone has an idea ??
Thanks for your help,
Regards,
François
-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de François Mehault
Envoyé : vendredi 29 mai 2009 15:27
À : FreeRadius users mailing list
Objet : RE: 1 freeradius with 2 openldap (multi master)
redundant-load-balance {
ldap1 # 50%, unless ldap2 is down, then 100%
ldap2 # 50%, unless ldap1 is down, then 100%
}
Seems perfect, thanks a lot !
-----Message d'origine-----
De : freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org [mailto:freeradius-users-bounces+francois.mehault=netplus.fr at lists.freeradius.org] De la part de Alan DeKok
Envoyé : vendredi 29 mai 2009 15:10
À : FreeRadius users mailing list
Objet : Re: 1 freeradius with 2 openldap (multi master)
François Mehault wrote:
> And in my site-available/default I load the two modules. If my two
> openldap are alive, authentication succeed, but if one of them fall,
> authentication failed, so like this I have a « AND » between modules,
> and not a « OR » like I would. I don’t know if I am really clear, i
> don’t speak very well, sorry.
$ man unlang
Look for "redundant"
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More information about the Freeradius-Users
mailing list