Load balancing and ldap group cache

classic Classic list List threaded Threaded
3 messages Options
| Threaded
Open this post in threaded view
|

Load balancing and ldap group cache

Users mailing list
Hi all,
  Interesting one with v4 migration.
With 3.1 and previous we used to load balance over site-based ldap servers closest to the radius box authenticating the user (we've got a few sites, slow links between), e.g.

        switch &control:Sitename {
                case site1 {
                        redundant-load-balance {
                                site1_ldap1_authorize
                                site1_ldap2_authorize
                                site2_ldap3_authorize
                        }
                }
                Case site2 {
..

We then call a later reference to a user group cache in a policy e.g :

if (&control:Cached-Ldap-Group && &control:Cached-Ldap-Group[*] =~ /${policy.groupdn-utvid-regexp}/) {

Which has also worked fine (NB we've used a custom group cache name "Cached-Ldap-Group")

The problem is previous versions used to let you have each ldap instance with the same cache name each time, e.g.

ldap site1_ldap1
  ..
  group {
         ..
        cache_attribute = "Cached-Ldap-Group"
  }

ldap site1_ldap2
  ..
  group {
         ..
        cache_attribute = "Cached-Ldap-Group"
  }

etc ..

.. but v4 doesn't seem to:

Creating attribute site1_ldap2-LDAP-Group
Error creating cache attribute
/etc/freeradius/mods-enabled/ldap[94]: Bootstrap failed for module "site1_ldap2".

If I rename the cache names to be unique it's ok.

Guess I either "find out" which ldap module was called in the redundant-load-balance section and then reference the specific ldap instance cache name later, or somehow getting around having to check the group cache, probably doing another ldap lookup I suppose. Any ideas?
Thanks
Andy


********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Load balancing and ldap group cache

Alan DeKok-2
On Jul 20, 2020, at 6:05 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
> The problem is previous versions used to let you have each ldap instance with the same cache name each time, e.g.
> ...
> .. but v4 doesn't seem to:
>
> Creating attribute site1_ldap2-LDAP-Group
> Error creating cache attribute
> /etc/freeradius/mods-enabled/ldap[94]: Bootstrap failed for module "site1_ldap2".

  It should generally print out a reason as too *why* it failed.  But it should also allow the duplicate.

  I've pushed a fix.  It now works.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: Load balancing and ldap group cache

Users mailing list
Thank you very much Alan, super fast! It's starting up fine, on to testing now ..
:-)


-----Original Message-----
From: Alan DeKok <[hidden email]>
Sent: 20 July 2020 15:33
To: FreeRadius users mailing list <[hidden email]>
Cc: FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) <[hidden email]>
Subject: Re: Load balancing and ldap group cache

On Jul 20, 2020, at 6:05 AM, FRANKS, Andy (SHREWSBURY AND TELFORD HOSPITAL NHS TRUST) via Freeradius-Users <[hidden email]> wrote:
> The problem is previous versions used to let you have each ldap instance with the same cache name each time, e.g.
> ...
> .. but v4 doesn't seem to:
>
> Creating attribute site1_ldap2-LDAP-Group Error creating cache
> attribute
> /etc/freeradius/mods-enabled/ldap[94]: Bootstrap failed for module "site1_ldap2".

  It should generally print out a reason as too *why* it failed.  But it should also allow the duplicate.

  I've pushed a fix.  It now works.

  Alan DeKok.



********************************************************************************************************************

This message may contain confidential information. If you are not the intended recipient please inform the
sender that you have received the message in error before deleting it.
Please do not disclose, copy or distribute information in this e-mail or take any action in relation to its contents. To do so is strictly prohibited and may be unlawful. Thank you for your co-operation.

NHSmail is the secure email and directory service available for all NHS staff in England and Scotland. NHSmail is approved for exchanging patient data and other sensitive information with NHSmail and other accredited email services.

For more information and to find out how you can switch, https://portal.nhs.net/help/joiningnhsmail


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html