Multiple LDAP servers best practice

Brendan Kearney bpk678 at gmail.com
Wed Feb 15 19:25:57 UTC 2023 

if you do a nslookup on "ad.stolaf.edu", all of the domain controller's 
IP's will be listed.  hence, the round robin load balancing.  while not 
"balanced", it is load sharing and provides high availability and fault 
tolerance.  The missing piece is knowing when a DC is out of the mix and 
being able to adjust traffic, so that it does not go to that host.

i use HAProxy, and have setup a VIP for ldap.  HAProxy can perform a 
check against ldap, to confirm the service is up and operational.  using 
this, the VIP can load balance across several hosts, and know when/if 
the services on the host, not just the host, are alive.  there are some 
tweaks to OpenLDAP i had to perform, in order for the load balancing to 
work.  one of the tweaks was setting olcSuffix to the DN i wanted all 
servers to reply to.

with the HAProxy VIP in place, i point my FreeRADIUS instances at the 
ldap VIP, and dont worry about configuring failover in FreeRADIUS.

On 2/15/23 2:11 PM, Tony Skalski via Freeradius-Users wrote:
> Hi,
>
> We use EAP-PEAP and use ldap to normalize usernames and retrieve group
> membership (via ldaps). We recently found that our freeradius servers were
> only connecting to the first of four ldap servers specified in
> mods-available/ldap. The servers are listed on separate lines like this:
>
>         server = 'ldaps://dc1.ad.stolaf.edu'
>         server = 'ldaps://dc2.ad.stolaf.edu'
>         server = 'ldaps://dc3.ad.stolaf.edu'
>         server = 'ldaps://dc4.ad.stolaf.edu'
>
> The certificates used for ldaps have SANs that include our domain name '
> ad.stolaf.edu' and on my dev server I found that using "server = '
> ad.stolaf.edu'" will start connections with all ldap servers, modulo DNS
> round robin results.
>
> I consulted some openldap documentation, but am still left with the
> question: what is the best practice for listing and utilizing multiple LDAP
> servers (for both failover and load balancing)?
>
> Also, is URI or hostname more preferred? (both seem to work in my testing,
> I do specify "port = 636" elsewhere in the config)
>
> radiusd -X output from our production config (4 servers listed one per
> line):
>
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap: libldap vendor: OpenLDAP,
> version: 20446
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Initialising connection
> pool
> Wed Feb 15 07:38:33 2023 : Debug:    pool {
> Wed Feb 15 07:38:33 2023 : Debug:     start = 5
> Wed Feb 15 07:38:33 2023 : Debug:     min = 3
> Wed Feb 15 07:38:33 2023 : Debug:     max = 32
> Wed Feb 15 07:38:33 2023 : Debug:     spare = 10
> Wed Feb 15 07:38:33 2023 : Debug:     uses = 0
> Wed Feb 15 07:38:33 2023 : Debug:     lifetime = 0
> Wed Feb 15 07:38:33 2023 : Debug:     cleanup_interval = 30
> Wed Feb 15 07:38:33 2023 : Debug:     idle_timeout = 60
> Wed Feb 15 07:38:33 2023 : Debug:     retry_delay = 30
> Wed Feb 15 07:38:33 2023 : Debug:     spread = no
> Wed Feb 15 07:38:33 2023 : Debug:    }
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
> connection (0), 1 of 32 pending slots used
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
> dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
> dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
> 0x564cf7a99500
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
> result...
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
> connection (1), 1 of 31 pending slots used
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
> dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
> dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
> 0x564cf7ac04b0
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
> result...
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
> connection (2), 1 of 30 pending slots used
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
> dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
> dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
> 0x564cf7aae7a0
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
> result...
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
> connection (3), 1 of 29 pending slots used
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
> dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
> dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
> 0x564cf7ac1390
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
> result...
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
> Wed Feb 15 07:38:33 2023 : Info: rlm_ldap (ldap): Opening additional
> connection (4), 1 of 28 pending slots used
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Connecting to ldaps://
> dc1.ad.stolaf.edu:636 ldaps://dc2.ad.stolaf.edu:636 ldaps://
> dc3.ad.stolaf.edu:636 ldaps://dc4.ad.stolaf.edu:636
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): New libldap handle
> 0x564cf7ab5cc0
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Waiting for bind
> result...
> Wed Feb 15 07:38:33 2023 : Debug: rlm_ldap (ldap): Bind successful
>
> Connections from radius server to ldap server - note 5 connections to same
> server:
>
> [root at rad-dev ~]# lsof -i | grep radiusd | grep ldaps
> radiusd   1023016 radiusd    5u  IPv6 16259147      0t0  TCP
> rad-dev:56548->[DEAD::BEEF]:ldaps (ESTABLISHED)
> radiusd   1023016 radiusd    6u  IPv6 16259152      0t0  TCP
> rad-dev:56554->[DEAD::BEEF]:ldaps (ESTABLISHED)
> radiusd   1023016 radiusd    7u  IPv6 16259157      0t0  TCP
> rad-dev:56556->[DEAD::BEEF]:ldaps (ESTABLISHED)
> radiusd   1023016 radiusd    8u  IPv6 16259162      0t0  TCP
> rad-dev:56562->[DEAD::BEEF]:ldaps (ESTABLISHED)
> radiusd   1023016 radiusd    9u  IPv6 16259167      0t0  TCP
> rad-dev:56566->[DEAD::BEEF]:ldaps (ESTABLISHED)
>
> dc1.ad.stolaf.edu <--> DEAD::BEEF
>
> Thanks!
>
> ajs
> --
> *Tony Skalski (he/him/his)*
> System Administrator | IT
> Office: 507-786-3227 <(507)786-3227>
> 1510 St. Olaf Avenue Northfield, MN 55057
> stolaf.edu
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list