LDAP redundant with LDAP-Group within users file

Jan.Gnepper at t-systems.com Jan.Gnepper at t-systems.com
Wed Jun 29 16:46:54 CEST 2011


>> Problem: radius is using always the same ldap server for group extends.
>> If this (one!) server fails, radius authentication is not possible.
>> Very bad, because we have "redundancy" configured, and expected to have zero outage.

>Sorry. The "ldap" module and FreeRADIUS do not work that way. 
>"LDAP-Group" is a virtual attribute, that is registered by the first 
>LDAP module to be created; it can't "fail over". It doesn't know about 
>"redundant {}" or similar.

OK, thanks for detailed answer.
I read in other threads ansers that already point to that fact.


>> Defining all three server whithin one section in modules/ldap
>>
>>          ldap {
>>                  server = "<IP ldap-1>  <IP ldap-2>  <IP ldap-3>"
>>                  .}
>>
>> And setting just "ldap" within authorize and authenticate:
>>
>> With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us.
>> (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)

>It should not take 15 minutes.

>What is your "net_timeout" set to?

net_timeout = 1
timelimit = 2
timeout = 4

For testing i added a hostroute to an other gateway (=host unreachable)


>Unfortunately, when you supply >1 LDAP server, this is handled 
>internally by libldap, and libldap tries the LDAP servers in series, not 
>in parallel. So there will always be some outage.

As i wrote in my first post, short outage would be ok, but 15 minutes was too much.
I added the hostroute to the server that opend the first connection when a request came in (i thought that this is the call regarding ldap-group).
That was normaly the last from the list (server=...).
I made serveral requests, but all end with "server unreachable / reject".
But i could see in tcpdump, that after 15 minutes a lot of connections to an other ldap server were opend.
>From this moment, all new requests were successfull, to an other ldap.


>FreeRADIUS does not currently have connection pools, and they're a bit 
>hard with LDAP because libldap doesn't have a great API.

>>
>> I found mails regarding similar problems within the archive, but no suitable solution.
>> (e.g http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html from 2006)
>>
>> Is there a solution for reducing the outage and having loadbalancing for our case?

>At the moment, the "ldap" module does not have the kind of instant 
>failover you're looking for. You will need some kind of IP loadbalancing 
>solution in front of your LDAP servers to achieve this.

Not as easy as it sounds ;-)
12 radius pairs (singe server with the same config) at 10 locations, 3 ldap server at 3 different locations
For countervail lost of one or two locations, loadbalancing will be very complex.




More information about the Freeradius-Users mailing list