Multiple LDAP servers best practice

Tony Skalski ajs at stolaf.edu
Wed Feb 15 19:11:13 UTC 2023 

Hi,

We use EAP-PEAP and use ldap to normalize usernames and retrieve group
membership (via ldaps). We recently found that our freeradius servers were
only connecting to the first of four ldap servers specified in
mods-available/ldap. The servers are listed on separate lines like this:

       server = 'ldaps://dc1.ad.stolaf.edu'
       server = 'ldaps://dc2.ad.stolaf.edu'
       server = 'ldaps://dc3.ad.stolaf.edu'
       server = 'ldaps://dc4.ad.stolaf.edu'

The certificates used for ldaps have SANs that include our domain name '
ad.stolaf.edu' and on my dev server I found that using "server = '
ad.stolaf.edu'" will start connections with all ldap servers, modulo DNS
round robin results.

I consulted some openldap documentation, but am still left with the
question: what is the best practice for listing and utilizing multiple LDAP
servers (for both failover and load balancing)?

Also, is URI or hostname more preferred? (both seem to work in my testing,
I do specify "port = 636" elsewhere in the config)

radiusd -X output from our production config (4 servers listed one per
line):

Wed Feb 15 07:38:33 2023 : Info: rlm_ldap: libldap vendor: OpenLDAP,
version: 20446
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Initialising connection
pool
Wed Feb 15 07:38:33 2023 : Debug:    pool {
Wed Feb 15 07:38:33 2023 : Debug:     start = 5
Wed Feb 15 07:38:33 2023 : Debug:     min = 3
Wed Feb 15 07:38:33 2023 : Debug:     max = 32
Wed Feb 15 07:38:33 2023 : Debug:     spare = 10
Wed Feb 15 07:38:33 2023 : Debug:     uses = 0
Wed Feb 15 07:38:33 2023 : Debug:     lifetime = 0
Wed Feb 15 07:38:33 2023 : Debug:     cleanup_interval = 30
Wed Feb 15 07:38:33 2023 : Debug:     idle_timeout = 60
Wed Feb 15 07:38:33 2023 : Debug:     retry_delay = 30
Wed Feb 15 07:38:33 2023 : Debug:     spread = no
Wed Feb 15 07:38:33 2023 : Debug:    }
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (0), 1 of 32 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7a99500
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (1), 1 of 31 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ac04b0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (2), 1 of 30 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7aae7a0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (3), 1 of 29 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ac1390
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (4), 1 of 28 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ab5cc0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful

Connections from radius server to ldap server - note 5 connections to same
server:

[root at rad-dev ~]# lsof -i | grep radiusd | grep ldaps
radiusd   1023016 radiusd    5u  IPv6 16259147      0t0  TCP
rad-dev:56548->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd   1023016 radiusd    6u  IPv6 16259152      0t0  TCP
rad-dev:56554->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd   1023016 radiusd    7u  IPv6 16259157      0t0  TCP
rad-dev:56556->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd   1023016 radiusd    8u  IPv6 16259162      0t0  TCP
rad-dev:56562->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd   1023016 radiusd    9u  IPv6 16259167      0t0  TCP
rad-dev:56566->[DEAD::BEEF]:ldaps (ESTABLISHED)

dc1.ad.stolaf.edu <--> DEAD::BEEF

Thanks!

ajs
--
*Tony Skalski (he/him/his)*
System Administrator | IT
Office: 507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu

More information about the Freeradius-Users mailing list