LDAP redundant with LDAP-Group within users file
Jan.Gnepper at t-systems.com
Jan.Gnepper at t-systems.com
Tue Jun 28 17:12:47 CEST 2011
Hi,
We use radius (freeradius2-2.1.7-7.el5) for user authentication/authorization on network devices.
Therefore we use a mapping from huntgroups to ldap groups.
We have three ldap server running, and wanted to use "redundant" or "redundant-load-balance".
I have tested two cases till now, because i already found messages that point to known problems with ldap redundancy and extends (ldap-groups) within the users file.
Case 1
================
Defining 3 separate ldap server whithin modules/ldap
ldap ldap-1 {
server = "<IP ldap-1>"
.}
ldap ldap-2 {
server = "<IP ldap-2>"
.}
ldap ldap-2 {
server = "<IP ldap-3>"
And using "redundant" for ldap whithin authorize and authenticate:
authorize {
preprocess
files
redundant {
ldap-1
ldap-2
ldap-3
handled
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type ldap-1 {
ldap-1
}
Auth-Type ldap-2 {
ldap-2
}
Auth-Type ldap-3 {
ldap-3
}
Auth-Type LDAP {
redundant {
ldap-1
ldap-2
ldap-3
handled
}
}
}
Problem: radius is using always the same ldap server for group extends.
If this (one!) server fails, radius authentication is not possible.
Very bad, because we have "redundancy" configured, and expected to have zero outage.
Case 2
================
Defining all three server whithin one section in modules/ldap
ldap {
server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>"
.}
And setting just "ldap" within authorize and authenticate:
authorize {
preprocess
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us.
(1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)
I found mails regarding similar problems within the archive, but no suitable solution.
(e.g http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html from 2006)
Is there a solution for reducing the outage and having loadbalancing for our case?
I hope that i explained my problem in an understandingly (native language is german), and didn´t paste too much configs.
Jan
Just a gap of our users file, we have 18 default lines and additional 4 for a local/PAP user:
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-a>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-b>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-c>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == "<LDAP-GROUP-Team-a>"
Login-Service = Telnet,
Vendor-Specific = 9,
Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "brocade", LDAP-Group == "<LDAP-GROUP-Team-a>"
Vendor-Specific = 1991,
Foundry-Privilege-Level = 0,
foundry-command-string="*",
foundry-command-exception-flag=0
DEFAULT Auth-Type := LDAP, LDAP-Group == "<LDAP-GROUP-Team-a>"
Service-Type = Administrative-User,
Login-Service = Telnet,
Vendor-Specific = 9,
cisco-avpair = "shell:priv-lvl=15"
More information about the Freeradius-Users
mailing list