Load balance LDAP servers for group checking
Alan DeKok
aland at deployingradius.com
Fri May 12 17:03:23 CEST 2017
On May 12, 2017, at 10:09 AM, Petar Marinkovic <highl1 at gmail.com> wrote:
> But, sometimes I rarely get a hickup in LDAP binding, and since the bind
> fail, because freeradius cannot connect to LDAP, request is rejected and
> user cannot connect. Usually, this is random, and if user retries
> authentication right away, it will get connected, but still it happens once
> a month.
The short answer is to keep your LDAP servers up. Poking FreeRADIUS is a bandaid, and won't fix the problem.
> I've tried to follow https://wiki.freeradius.org/config/Load-balancing this
> to set up redundance/load balancing, but all the time for group checking,
> it's actually using the server I put last in the list, srom my case, it's
> 2nd ldap server defined in /etc/raddb/modules/ldap2
Because you configured it to check LDAP-Group, which uses a *particular* module. And doesn't do load balancing.
Upgrade to v3. It will cache the group checks. That will lower the load on LDAP quite a bit.
And, make FreeRADIUS less dependent on LDAP.
Alan DeKok.
More information about the Freeradius-Users
mailing list