ldap redundant-load-balance sanity check and questions

Brantley Padgett brantleyp1 at yahoo.com
Tue Oct 11 20:55:48 UTC 2022 

There was a thread a few days ago that caused me to relook at how to configure failover for multiple ldap backends. After a lot of reading, a lot more trial and error, I have an apparently functioning solution. Is there anything glaringly wrong with this configuration? Also, I didn't have any luck finding end to end examples so also hoping this will help if anyone else is trying to figure out a similar setup.

First, my setup. I started with a fresh build, installed FR 3.2 from the networkradius repo.

I added to radiusd.conf in the instantiate stanza:
    redundant-load-balance redundant_ldap {
        server1
        server2
        server3
    }

I edited mods-available/ldap:

ldap server1 {
    $INCLUDE ${modconfdir}/files/ldap_server_info
    server = 'ldap1.example.net'
}
ldap server2 {
    $INCLUDE ${modconfdir}/files/ldap_server_info
    server = 'ldap2.example.net'
}
ldap server3 {
    $INCLUDE ${modconfdir}/files/ldap_server_info
    server = 'ldap3.example.net'
}


To make ldap more readable and save typing, next made a file in mods-config/files/ldap_server_info containing all the ldap data, user, group, filters, etc that are static between all 3 nodes.
port = [...]
identity = [...]
password = [...]
base_dn = [...]
update {
    control:Password-With-Header    += 'userPassword'
    control:NT-Password        := 'sambaNTPassword'
}

user_dn = "LDAP-UserDn"

user {
    [...]
}

group {
    [...]
}

accounting {
    [...]
}

# Post-Auth can modify LDAP objects too
post-auth {
    update {
        description := "Authenticated at %S"
    }
}

# LDAP connection-specific options.
options {
    [...]
}

tls {
    [...]
}

pool {
    [...]
}


Then, in sites-available/default

Under authenticate I uncommented and cahnged the Auth-Type LDAP call to

    Auth-Type LDAP {
        redundant_ldap {
        }
    }

Under authorize is where I have a few questions. What I finally did that works: (question #1)

    redundant_ldap
    if ((ok || updated) && User-Password && !control:Auth-Type) {
        update control {
            &Auth-Type := LDAP
        }
        #update session-state {      ## ignore these, they were iterations trying to figure out how to combine Ldap-Group related to question 2
        #    #&control:Ldap-Group += &control:Ldap-Group[*]
        #    &Ldap-Group += &Ldap-Group[*]
        #}

    }

Finally, under post-auth I have it return back some groups/etc for various devices. It finally clicked that I had to list each ldap server instance for Ldap-Group. I tried a few different stackoverflow inspired answers of updating a session-state or similar but wasn't able to get any of those to work. (question 2)

    if (server1-Ldap-Group == "group1") || (server2-Ldap-Group == "group1") || (server3-Ldap-Group == "group1") {
        update reply {
        [...]
        }
    } elsif (server1-Ldap-Group == "group2") || (server2-Ldap-Group == "group2") || (server3-Ldap-Group == "group2") {
        update reply {
        [...]
        }
    } elsif (server1-Ldap-Group == "group3") || (server2-Ldap-Group == "group3") || (server3-Ldap-Group == "group3") {
        update reply {
        [...]
        }
    } else {
        update reply {
            [...]
        }
    }


My questions:

Foremost, where I had to comment out the update control auth-type, what is that step? I know this is a pretty basic question but either I couldn't find in the docs (I'm sure it's there I just don't know what to look for), or didn't understand if I did find it, what is that update call actually doing? I tried a few different versions and when the config check ran cleanly I stopped messing with it. I get appropriate answers from radtest, I just am not sure what is happening. I actually had all of the update block commented out, so just "if (( ok... )) {}" with nothing between the braces and it works, which is the reason for the question. I assume this is an example as stated in the docs to not mess with auth-type but let the server "just figure it out", but wanted to make sure.

Question 2 - is there a better way of handling multiple server[n]-Ldap-Group responses? I've tried to follow https://stackoverflow.com/questions/58187426/freeradius-problem-with-redundant-load-balance-ldap-group but wasn't exactly sure where those stanzas needed to go, or if rlb_ldap was a typo, or what. (P.S. as I type that, I realize where rlb_ldap came from, that is the instance name the question gave to the redundant-load-balance.) Either way, while server[n]-Ldap-Group works, it's cumbersome to expand with ansible so I'm hoping there's a more elegant way that I'm just not seeing.

Thank you in advance!

Brantley Padgett 

The question is not how far. The question is, 
do you possess the constitution, 
the depth of faith, to go as far as is needed? 
            -Boondock Saints

More information about the Freeradius-Users mailing list