LDAP redundant with LDAP-Group within users file
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jun 28 17:48:15 CEST 2011
On 28/06/11 16:12, Jan.Gnepper at t-systems.com wrote:
> Problem: radius is using always the same ldap server for group extends.
> If this (one!) server fails, radius authentication is not possible.
> Very bad, because we have "redundancy" configured, and expected to have zero outage.
Sorry. The "ldap" module and FreeRADIUS do not work that way.
"LDAP-Group" is a virtual attribute, that is registered by the first
LDAP module to be created; it can't "fail over". It doesn't know about
"redundant {}" or similar.
> Defining all three server whithin one section in modules/ldap
>
> ldap {
> server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>"
> .}
>
> And setting just "ldap" within authorize and authenticate:
>
> With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us.
> (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)
It should not take 15 minutes.
What is your "net_timeout" set to?
Unfortunately, when you supply >1 LDAP server, this is handled
internally by libldap, and libldap tries the LDAP servers in series, not
in parallel. So there will always be some outage.
FreeRADIUS does not currently have connection pools, and they're a bit
hard with LDAP because libldap doesn't have a great API.
>
> I found mails regarding similar problems within the archive, but no suitable solution.
> (e.g http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html from 2006)
>
> Is there a solution for reducing the outage and having loadbalancing for our case?
At the moment, the "ldap" module does not have the kind of instant
failover you're looking for. You will need some kind of IP loadbalancing
solution in front of your LDAP servers to achieve this.
More information about the Freeradius-Users
mailing list