Discussion:
Redundant LDAP servers in /etc/freeradius/modules/ldap
Tom Yard
2018-11-27 18:55:10 UTC
Permalink
Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
authentication.

I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
yesterday the DC went down and Freeradius was offline.

Is it possible to have two redundant LDAP server scheme, defining this in
/etc/freeradius/modules/ldap:

ldap {
server = "server1.company.com"
server = "server2.company.com"
identity = "CN=wifi,OU=it,DC=company,DC=com"
password = xxxxx
basedn = "OU=it,DC=company,DC=com"
filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

Thanks in advance!!!
-
List info/subscribe/unsubscribe? See http://www.freeradiu
Alan DeKok
2018-11-27 22:58:18 UTC
Permalink
Post by Tom Yard
Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
authentication.
I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
yesterday the DC went down and Freeradius was offline.
Is it possible to have two redundant LDAP server scheme, defining this in
ldap {
server = "server1.company.com"
server = "server2.company.com"
No.

Some LDAP libraries will parse the server name into multiple pieces if it contains commas:

server = "server1,server2"

I don't recommend that, as it means that the LDAP client library is in charge of fail-over. and they are typically terrible.

It's better to use the fail-over mechanism in FreeRADIUS. It works, and it's under your control.

Alan DeKok.


-
List info/subscribe/unsubscribe? Se
Tom Yard
2018-11-28 13:43:17 UTC
Permalink
Dear Alan, thanks for your help.

I have two questions now:

1) There are no commas at all in my definition in
/etc/freeradius/modules/ldap:

ldap {
server = "server1.company.com"
server = "server2.company.com"
....
}

2) The failover mechanism works in Freeradius 2.2.5 ?

Thanks again!!
Post by Alan DeKok
Post by Tom Yard
Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
authentication.
I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
yesterday the DC went down and Freeradius was offline.
Is it possible to have two redundant LDAP server scheme, defining this in
ldap {
server = "server1.company.com"
server = "server2.company.com"
No.
Some LDAP libraries will parse the server name into multiple pieces if
server = "server1,server2"
I don't recommend that, as it means that the LDAP client library is in
charge of fail-over. and they are typically terrible.
It's better to use the fail-over mechanism in FreeRADIUS. It works, and
it's under your control.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/l
Alan DeKok
2018-11-28 13:55:38 UTC
Permalink
Post by Tom Yard
Dear Alan, thanks for your help.
Apparently not, because you have asked exactly the same questions again.
Post by Tom Yard
1) There are no commas at all in my definition in
ldap {
server = "server1.company.com"
server = "server2.company.com"
....
}
I'm well aware there's no commas. Do you think I didn't read your message?

I told you what to do. Why not follow instructions? Do you think if you ask nicely *many* times, I will go "nah, you're right, I lied to you. You CAN use multiple 'server' entries despite all documentation to the contrary".
Post by Tom Yard
2) The failover mechanism works in Freeradius 2.2.5 ?
I told you to use it. Why ask the question again?

Where does this end? How many times should I answer the same question before you believe me?

Q: does it work?
A: Yes
Q: Really?
A: Yes, really.
Q: But no... seriously.. really?
A: <sigh>

Please don't ask the same questions over and over. It's rude. Please follow instructions instead of just asking the same question over and over.

Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Loading...