Multiple LDAP servers best practice
Tony Skalski
ajs at stolaf.edu
Wed Feb 15 19:11:13 UTC 2023
Hi,
We use EAP-PEAP and use ldap to normalize usernames and retrieve group
membership (via ldaps). We recently found that our freeradius servers were
only connecting to the first of four ldap servers specified in
mods-available/ldap. The servers are listed on separate lines like this:
server = 'ldaps://dc1.ad.stolaf.edu'
server = 'ldaps://dc2.ad.stolaf.edu'
server = 'ldaps://dc3.ad.stolaf.edu'
server = 'ldaps://dc4.ad.stolaf.edu'
The certificates used for ldaps have SANs that include our domain name '
ad.stolaf.edu' and on my dev server I found that using "server = '
ad.stolaf.edu'" will start connections with all ldap servers, modulo DNS
round robin results.
I consulted some openldap documentation, but am still left with the
question: what is the best practice for listing and utilizing multiple LDAP
servers (for both failover and load balancing)?
Also, is URI or hostname more preferred? (both seem to work in my testing,
I do specify "port = 636" elsewhere in the config)
radiusd -X output from our production config (4 servers listed one per
line):
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap: libldap vendor: OpenLDAP,
version: 20446
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Initialising connection
pool
Wed Feb 15 07:38:33 2023 : Debug: pool {
Wed Feb 15 07:38:33 2023 : Debug: start = 5
Wed Feb 15 07:38:33 2023 : Debug: min = 3
Wed Feb 15 07:38:33 2023 : Debug: max = 32
Wed Feb 15 07:38:33 2023 : Debug: spare = 10
Wed Feb 15 07:38:33 2023 : Debug: uses = 0
Wed Feb 15 07:38:33 2023 : Debug: lifetime = 0
Wed Feb 15 07:38:33 2023 : Debug: cleanup_interval = 30
Wed Feb 15 07:38:33 2023 : Debug: idle_timeout = 60
Wed Feb 15 07:38:33 2023 : Debug: retry_delay = 30
Wed Feb 15 07:38:33 2023 : Debug: spread = no
Wed Feb 15 07:38:33 2023 : Debug: }
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (0), 1 of 32 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7a99500
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (1), 1 of 31 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ac04b0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (2), 1 of 30 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7aae7a0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (3), 1 of 29 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ac1390
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
connection (4), 1 of 28 pending slots used
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
0x564cf7ab5cc0
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
result...
Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
Connections from radius server to ldap server - note 5 connections to same
server:
[root at rad-dev ~]# lsof -i | grep radiusd | grep ldaps
radiusd 1023016 radiusd 5u IPv6 16259147 0t0 TCP
rad-dev:56548->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd 1023016 radiusd 6u IPv6 16259152 0t0 TCP
rad-dev:56554->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd 1023016 radiusd 7u IPv6 16259157 0t0 TCP
rad-dev:56556->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd 1023016 radiusd 8u IPv6 16259162 0t0 TCP
rad-dev:56562->[DEAD::BEEF]:ldaps (ESTABLISHED)
radiusd 1023016 radiusd 9u IPv6 16259167 0t0 TCP
rad-dev:56566->[DEAD::BEEF]:ldaps (ESTABLISHED)
dc1.ad.stolaf.edu <--> DEAD::BEEF
Thanks!
ajs
--
*Tony Skalski (he/him/his)*
System Administrator | IT
Office: 507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
stolaf.edu
More information about the Freeradius-Users
mailing list