ldap redundant-load-balance sanity check and questions

Tue Oct 11 22:47:31 UTC 2022

On Oct 11, 2022, at 4:55 PM, Brantley Padgett via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> There was a thread a few days ago that caused me to relook at how to configure failover for multiple ldap backends. After a lot of reading, a lot more trial and error, I have an apparently functioning solution. Is there anything glaringly wrong with this configuration?

  If it works...

> Also, I didn't have any luck finding end to end examples so also hoping this will help if anyone else is trying to figure out a similar setup.

  There are rarely documentation pages which describe everything people want to do.  You really do have to put the pieces together yourself.  It's usually nor hard, it just takes care and attention.

> First, my setup. I started with a fresh build, installed FR 3.2 from the networkradius repo.
> 
> I added to radiusd.conf in the instantiate stanza:
>     redundant-load-balance redundant_ldap {
>         server1
>         server2
>         server3
>     }

  That's good.

> I edited mods-available/ldap:
> 
> ldap server1 {
>     $INCLUDE ${modconfdir}/files/ldap_server_info
>     server = 'ldap1.example.net'
> }
> ldap server2 {
>     $INCLUDE ${modconfdir}/files/ldap_server_info
>     server = 'ldap2.example.net'
> }
> ldap server3 {
>     $INCLUDE ${modconfdir}/files/ldap_server_info
>     server = 'ldap3.example.net'
> }

  That's fine.  I'd put those files somewhere else, as ${modconfdir}/files/ is intended for the "files" module.  But it doesn't matter. 

> To make ldap more readable and save typing, next made a file in mods-config/files/ldap_server_info containing all the ldap data, user, group, filters, etc that are static between all 3 nodes.

  That makes sense.

> Then, in sites-available/default
> 
> Under authenticate I uncommented and cahnged the Auth-Type LDAP call to
> 
>     Auth-Type LDAP {
>         redundant_ldap {
>         }

  You don't need those brackets.  Just do:

	Auth-Type LDAP {
		redundant_ldap
	}

> Under authorize is where I have a few questions. What I finally did that works: (question #1)
> 
>     redundant_ldap
>     if ((ok || updated) && User-Password && !control:Auth-Type) {
>         update control {
>             &Auth-Type := LDAP

  Yes.  If you're using LDAP as an "oracle", you have to force Auth-Type = LDAP.

> Finally, under post-auth I have it return back some groups/etc for various devices. It finally clicked that I had to list each ldap server instance for Ldap-Group

  There is unfortunately no automatic failover with LDAP-Group.  So yes, you have to check each LDAP server manually, by specifying the exact module: Server2-LDAP-Group, etc.

> Foremost, where I had to comment out the update control auth-type, what is that step? I know this is a pretty basic question but either I couldn't find in the docs (I'm sure it's there I just don't know what to look for), or didn't understand if I did find it, what is that update call actually doing? I tried a few different versions and when the config check ran cleanly I stopped messing with it. I get appropriate answers from radtest, I just am not sure what is happening. I actually had all of the update block commented out, so just "if (( ok... )) {}" with nothing between the braces and it works, which is the reason for the question. I assume this is an example as stated in the docs to not mess with auth-type but let the server "just figure it out", but wanted to make sure.

  Setting Auth-Type tells the server which "authenticate" sub-section to run.  There are many different authentication methods, and there are many different ways to authenticate users.  So it has to know somehow how the user us authenticated.

> Question 2 - is there a better way of handling multiple server[n]-Ldap-Group responses?

  Unfortunately, no.  We're looking into fixing that for v4.

  Alan DeKok.