Load balance LDAP servers for group checking

Alan DeKok aland at deployingradius.com
Fri May 12 17:03:23 CEST 2017

On May 12, 2017, at 10:09 AM, Petar Marinkovic <highl1 at gmail.com> wrote:
> But, sometimes I rarely get a hickup in LDAP binding, and since the bind
> fail, because freeradius cannot connect to LDAP, request is rejected and
> user cannot connect. Usually, this is random, and if user retries
> authentication right away, it will get connected, but still it happens once
> a month.

  The short answer is to keep your LDAP servers up.  Poking FreeRADIUS is a bandaid, and won't fix the problem.

> I've tried to follow https://wiki.freeradius.org/config/Load-balancing this
> to set up redundance/load balancing, but all the time for group checking,
> it's actually using the server I put last in the list, srom my case, it's
> 2nd ldap server defined in /etc/raddb/modules/ldap2

  Because you configured it to check LDAP-Group, which uses a *particular* module.  And doesn't do load balancing.

  Upgrade to v3.  It will cache the group checks.  That will lower the load on LDAP quite a bit.

  And, make FreeRADIUS less dependent on LDAP.

  Alan DeKok.

More information about the Freeradius-Users mailing list