Multiple LDAP servers best practice

Alan DeKok aland at deployingradius.com
Wed Feb 15 19:25:18 UTC 2023


On Feb 15, 2023, at 2:11 PM, Tony Skalski via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> We use EAP-PEAP and use ldap to normalize usernames and retrieve group
> membership (via ldaps). We recently found that our freeradius servers were
> only connecting to the first of four ldap servers specified in
> mods-available/ldap. The servers are listed on separate lines like this:
> 
>       server = 'ldaps://dc1.ad.stolaf.edu'
>       server = 'ldaps://dc2.ad.stolaf.edu'
>       server = 'ldaps://dc3.ad.stolaf.edu'
>       server = 'ldaps://dc4.ad.stolaf.edu'

  When that configuration is used, the failover from one LDAP server to the other is handled by the LDAP libraries.  FreeRADIUS isn't really involved.

  The LDAP libraries fail over from one server to another when a server fails.  I don't think they do round robin or load balancing.

> I consulted some openldap documentation, but am still left with the
> question: what is the best practice for listing and utilizing multiple LDAP
> servers (for both failover and load balancing)?

  It depends what you want.  FreeRADIUS allows you to configure almost anything.

  The configuration above only does failover.  It doesn't do load balancing.  But if it works... it's fine.

> Also, is URI or hostname more preferred? (both seem to work in my testing,
> I do specify "port = 636" elsewhere in the config)

  It doesn't really matter.

  Alan DeKok.



More information about the Freeradius-Users mailing list