Load balance LDAP servers for group checking
Petar Marinkovic
highl1 at gmail.com
Fri May 12 18:19:38 CEST 2017
Well, LDAP is Windows AD, and they're constantly up, I more think it's a
issue from the KVM running freeradius VM, that for some reason networking
is lost, or the switches. I would get failed authentications somewhere else
as well, not just through freeradius with group AD check.
At v3, how long are the group checks cached? Is there a setting it can be
defined or ? Also, does that mean at the next re-authentication request, it
will check the MAC address and certificate, but will use the cached group
value?
Thanks for your help.
Petar
On Fri, May 12, 2017 at 5:03 PM, Alan DeKok <aland at deployingradius.com>
wrote:
> On May 12, 2017, at 10:09 AM, Petar Marinkovic <highl1 at gmail.com> wrote:
> > But, sometimes I rarely get a hickup in LDAP binding, and since the bind
> > fail, because freeradius cannot connect to LDAP, request is rejected and
> > user cannot connect. Usually, this is random, and if user retries
> > authentication right away, it will get connected, but still it happens
> once
> > a month.
>
> The short answer is to keep your LDAP servers up. Poking FreeRADIUS is
> a bandaid, and won't fix the problem.
>
> > I've tried to follow https://wiki.freeradius.org/config/Load-balancing
> this
> > to set up redundance/load balancing, but all the time for group checking,
> > it's actually using the server I put last in the list, srom my case, it's
> > 2nd ldap server defined in /etc/raddb/modules/ldap2
>
> Because you configured it to check LDAP-Group, which uses a *particular*
> module. And doesn't do load balancing.
>
> Upgrade to v3. It will cache the group checks. That will lower the
> load on LDAP quite a bit.
>
> And, make FreeRADIUS less dependent on LDAP.
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
More information about the Freeradius-Users
mailing list