Load balance LDAP servers for group checking

Petar Marinkovic highl1 at gmail.com
Fri May 12 18:19:38 CEST 2017

Well, LDAP is Windows AD, and they're constantly up, I more think it's a
issue from the KVM running freeradius VM, that for some reason networking
is lost, or the switches. I would get failed authentications somewhere else
as well, not just through freeradius with group AD check.
At v3, how long are the group checks cached? Is there a setting it can be
defined or ? Also, does that mean at the next re-authentication request, it
will check the MAC address and certificate, but will use the cached group

Thanks for your help.


On Fri, May 12, 2017 at 5:03 PM, Alan DeKok <aland at deployingradius.com>

> On May 12, 2017, at 10:09 AM, Petar Marinkovic <highl1 at gmail.com> wrote:
> > But, sometimes I rarely get a hickup in LDAP binding, and since the bind
> > fail, because freeradius cannot connect to LDAP, request is rejected and
> > user cannot connect. Usually, this is random, and if user retries
> > authentication right away, it will get connected, but still it happens
> once
> > a month.
>   The short answer is to keep your LDAP servers up.  Poking FreeRADIUS is
> a bandaid, and won't fix the problem.
> > I've tried to follow https://wiki.freeradius.org/config/Load-balancing
> this
> > to set up redundance/load balancing, but all the time for group checking,
> > it's actually using the server I put last in the list, srom my case, it's
> > 2nd ldap server defined in /etc/raddb/modules/ldap2
>   Because you configured it to check LDAP-Group, which uses a *particular*
> module.  And doesn't do load balancing.
>   Upgrade to v3.  It will cache the group checks.  That will lower the
> load on LDAP quite a bit.
>   And, make FreeRADIUS less dependent on LDAP.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html

More information about the Freeradius-Users mailing list