Discussion:
Load-balancing LDAP
Jonathan Gazeley
2016-07-14 14:44:42 UTC
Permalink
Hi folks,

We're using an instantiation of the ldap module to check group
membership, currently calling in an xlat[1] way like this:

switch
"%{uobldap:ldap:///DC=ads,DC=bris,DC=ac,DC=uk?objectCategory?sub?(Name=%{reply:User-Name})}"
{
...
}

At the moment the ldap config itself specifies multiple ldap servers and
we've been using this for load-balancing, but we have found it
unsatisfactory as the openldap client doesn't seem to fail over properly
when the ldap servers go away.

So I want to start using FreeRADIUS's redundant-load-balance section[2]
but at the moment I can't see how to use this with the xlat style of
calling the ldap module. Can I do something like wrap it in a policy and
load-balance between policies?

[1] http://wiki.freeradius.org/modules/rlm_ldap#ldap-xlat
[2] http://wiki.freeradius.org/config/load-balancing

Thanks,
Jonathan
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
A***@lboro.ac.uk
2016-07-14 14:59:15 UTC
Permalink
Hi,
Post by Jonathan Gazeley
We're using an instantiation of the ldap module to check group
switch "%{uobldap:ldap:///DC=ads,DC=bris,DC=ac,DC=uk?objectCategory?sub?(Name=%{reply:User-Name})}"
{
...
}
At the moment the ldap config itself specifies multiple ldap servers
and we've been using this for load-balancing, but we have found it
unsatisfactory as the openldap client doesn't seem to fail over
properly when the ldap servers go away.
So I want to start using FreeRADIUS's redundant-load-balance
section[2] but at the moment I can't see how to use this with the
xlat style of calling the ldap module. Can I do something like wrap
it in a policy and load-balance between policies?
how have you constructed uobldap module? the best way it to
instantiate the module and have a list...... and the failover/reconnect
is much much better with 3.x with the connection pool stuff

eg

instantiate {
redundant-load-balance master_ldap {
ldap1
ldap2
ldap3
}

}

then you simple call master_ldap with your xlate - which is what you want! :-)

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
Matthew Newton
2016-07-14 15:00:08 UTC
Permalink
So I want to start using FreeRADIUS's redundant-load-balance section[2] but
at the moment I can't see how to use this with the xlat style of calling the
ldap module. Can I do something like wrap it in a policy and load-balance
between policies?
As I learnt on github PR#1642 the other day...

See radiusd.conf instantiate{}.

https://github.com/FreeRADIUS/freeradius-server/blob/v3.1.x/raddb/radiusd.conf.in#L725-L758

Personally I'd probably set up Linux IPVS for the LDAP service
instead, but that's just from experience of the number of times
I've seen all sorts LDAP clients break when one of their
supposedly redundant servers goes away.

Matthew
--
Matthew Newton, Ph.D. <***@leicester.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
Phil Mayers
2016-07-15 10:08:52 UTC
Permalink
Post by Jonathan Gazeley
Hi folks,
OT here: does anyone else using Thunderbird have crashing problems when
trying to read an unknown one of the three messages in this thread?

Can't see anything obviously wrong with them, but Thunderbird definitely
doesn't like something about the thread...

Just curious.
-
List info/subscribe/unsubscribe? See http://w
Paul Thornton
2016-07-15 10:29:13 UTC
Permalink
Post by Phil Mayers
Post by Jonathan Gazeley
Hi folks,
OT here: does anyone else using Thunderbird have crashing problems when
trying to read an unknown one of the three messages in this thread?
Yes, I saw this as well. Thunderbird version 45.2.0 on MacOS X 10.11.5

I was cursing and blaming El Capitan as I'd recently upgraded my laptop
(finally) from Mavericks, I take it all back now. Well, some of it :)

Paul.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.ht
Jonathan Gazeley
2016-07-15 10:32:57 UTC
Permalink
Yes, crashes for me too with Thunderbird 45 on Linux. Seems to be Alan's
email :( Also observed with older versions of Thunderbird, too.

Alan, are you doing any funky signing, etc?

Cheers,
Jonathan
Post by Paul Thornton
Post by Phil Mayers
Post by Jonathan Gazeley
Hi folks,
OT here: does anyone else using Thunderbird have crashing problems when
trying to read an unknown one of the three messages in this thread?
Yes, I saw this as well. Thunderbird version 45.2.0 on MacOS X 10.11.5
I was cursing and blaming El Capitan as I'd recently upgraded my laptop
(finally) from Mavericks, I take it all back now. Well, some of it :)
Paul.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol
-
List info/subscribe/unsubscribe? See http:
Stefan Winter
2016-07-15 10:48:59 UTC
Permalink
Hi,

it's not Alan's fault - all messages containing LDAP URI, that is

l d a p : / / ...

without the spaces. Thunderbird usually parses URLs and underlines them
so you can click on URLs in plaintext messages. Something must be going
wrong there.

Now that's probably enough for someone to write an exploit for it :-/

Stefan
Post by Jonathan Gazeley
Yes, crashes for me too with Thunderbird 45 on Linux. Seems to be Alan's
email :( Also observed with older versions of Thunderbird, too.
Alan, are you doing any funky signing, etc?
Cheers,
Jonathan
Post by Paul Thornton
Post by Phil Mayers
Post by Jonathan Gazeley
Hi folks,
OT here: does anyone else using Thunderbird have crashing problems when
trying to read an unknown one of the three messages in this thread?
Yes, I saw this as well. Thunderbird version 45.2.0 on MacOS X 10.11.5
I was cursing and blaming El Capitan as I'd recently upgraded my laptop
(finally) from Mavericks, I take it all back now. Well, some of it :)
Paul.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
2, avenue de l'Université
L-4365 Esch-sur-Alzette

Tel: +352 424409 1
Fax: +352 422473

PGP key updated to 4096 Bit RSA - I will encrypt all mails if the
recipient's key is known to me

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xC0DE6A358A39DC66
Phil Mayers
2016-07-15 11:16:12 UTC
Permalink
Post by Stefan Winter
Hi,
it's not Alan's fault - all messages containing LDAP URI, that is
l d a p : / / ...
Just sent myself a couple of test variants, no crashes.

Must need a more complex URL
-
List info/subscribe/unsubscribe? See http://www.freeradius
Phil Mayers
2016-07-15 11:18:23 UTC
Permalink
Post by Phil Mayers
Post by Stefan Winter
Hi,
it's not Alan's fault - all messages containing LDAP URI, that is
l d a p : / / ...
Just sent myself a couple of test variants, no crashes.
Must need a more complex URL
Ah, I think it's the % in the LDAP URL for things like %{User-Name}
-
List info/subscribe/unsubscribe? See http://www.free

Loading...