LDAP redundant with LDAP-Group within users file
Phil Mayers
p.mayers at imperial.ac.uk
Wed Jun 29 18:52:11 CEST 2011
On 06/29/2011 03:46 PM, Jan.Gnepper at t-systems.com wrote:
>> What is your "net_timeout" set to?
>
> net_timeout = 1
> timelimit = 2
> timeout = 4
>
> For testing i added a hostroute to an other gateway (=host unreachable)
>
>
>> Unfortunately, when you supply>1 LDAP server, this is handled
>> internally by libldap, and libldap tries the LDAP servers in series, not
>> in parallel. So there will always be some outage.
>
> As i wrote in my first post, short outage would be ok, but 15 minutes was too much.
Ok. As I say, it definitely shouldn't take that long. libldap should
take at most net_timeout*N where N is the number of servers you have in
your:
server = "a.b.c.d x.y.z.w"
...line.
I will try to test this.
What OS are you on, and what LDAP libraries & version of those libs are
you using?
> Not as easy as it sounds ;-)
> 12 radius pairs (singe server with the same config) at 10 locations, 3 ldap server at 3 different locations
> For countervail lost of one or two locations, loadbalancing will be very complex.
Sure.
People are looking into better LDAP failover in "redundant {}" stanzas.
LDAP-Group is a bit harder though.
More information about the Freeradius-Users
mailing list