LDAP redundant with LDAP-Group within users file

[Phil Mayers]

On 28/06/11 16:12, Jan.Gnepper at t-systems.com wrote:

> Problem: radius is using always the same ldap server for group extends.
> If this (one!) server fails, radius authentication is not possible.
> Very bad, because we have "redundancy" configured, and expected to have zero outage.

Sorry. The "ldap" module and FreeRADIUS do not work that way. 
"LDAP-Group" is a virtual attribute, that is registered by the first 
LDAP module to be created; it can't "fail over". It doesn't know about 
"redundant {}" or similar.

> Defining all three server whithin one section in modules/ldap
>
>          ldap {
>                  server = "<IP ldap-1>  <IP ldap-2>  <IP ldap-3>"
>                  .}
>
> And setting just "ldap" within authorize and authenticate:
>
> With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us.
> (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)

It should not take 15 minutes.

What is your "net_timeout" set to?

Unfortunately, when you supply >1 LDAP server, this is handled 
internally by libldap, and libldap tries the LDAP servers in series, not 
in parallel. So there will always be some outage.

FreeRADIUS does not currently have connection pools, and they're a bit 
hard with LDAP because libldap doesn't have a great API.

>
> I found mails regarding similar problems within the archive, but no suitable solution.
> (e.g http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html from 2006)
>
> Is there a solution for reducing the outage and having loadbalancing for our case?

At the moment, the "ldap" module does not have the kind of instant 
failover you're looking for. You will need some kind of IP loadbalancing 
solution in front of your LDAP servers to achieve this.