Load balancing and ldap group cache

FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) andy.franks1 at nhs.net
Mon Jul 20 12:05:34 CEST 2020


Hi all,
  Interesting one with v4 migration.
With 3.1 and previous we used to load balance over site-based ldap servers closest to the radius box authenticating the user (we've got a few sites, slow links between), e.g.

        switch &control:Sitename {
                case site1 {
                        redundant-load-balance {
                                site1_ldap1_authorize
                                site1_ldap2_authorize
                                site2_ldap3_authorize
                        }
                }
                Case site2 {
..

We then call a later reference to a user group cache in a policy e.g :

if (&control:Cached-Ldap-Group && &control:Cached-Ldap-Group[*] =~ /${policy.groupdn-utvid-regexp}/) {

Which has also worked fine (NB we've used a custom group cache name "Cached-Ldap-Group")

The problem is previous versions used to let you have each ldap instance with the same cache name each time, e.g.

ldap site1_ldap1
  ..
  group {
         ..
        cache_attribute = "Cached-Ldap-Group"
  }

ldap site1_ldap2
  ..
  group {
         ..
        cache_attribute = "Cached-Ldap-Group"
  }

etc ..

.. but v4 doesn't seem to:

Creating attribute site1_ldap2-LDAP-Group
Error creating cache attribute
/etc/freeradius/mods-enabled/ldap[94]: Bootstrap failed for module "site1_ldap2".

If I rename the cache names to be unique it's ok.

Guess I either "find out" which ldap module was called in the redundant-load-balance section and then reference the specific ldap instance cache name later, or somehow getting around having to check the group cache, probably doing another ldap lookup I suppose. Any ideas?
Thanks
Andy


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail



More information about the Freeradius-Users mailing list