Redundant LDAP servers in /etc/freeradius/modules/ldap

classic Classic list List threaded Threaded
4 messages Options
| Threaded
Open this post in threaded view
|

Redundant LDAP servers in /etc/freeradius/modules/ldap

Tom Yard
Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
authentication.

I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
yesterday the DC went down and Freeradius was offline.

Is it possible to have two redundant LDAP server scheme, defining this in
/etc/freeradius/modules/ldap:

ldap {
        server = "server1.company.com"
        server = "server2.company.com"
        identity = "CN=wifi,OU=it,DC=company,DC=com"
        password = xxxxx
        basedn = "OU=it,DC=company,DC=com"
        filter = "(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}})"

Thanks in advance!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Redundant LDAP servers in /etc/freeradius/modules/ldap

Alan DeKok-2
On Nov 27, 2018, at 1:55 PM, Tom Yard <[hidden email]> wrote:

>
> Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
> authentication.
>
> I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
> yesterday the DC went down and Freeradius was offline.
>
> Is it possible to have two redundant LDAP server scheme, defining this in
> /etc/freeradius/modules/ldap:
>
> ldap {
>        server = "server1.company.com"
>        server = "server2.company.com"

  No.

  Some LDAP libraries will parse the server name into multiple pieces if it contains commas:

        server = "server1,server2"

  I don't recommend that, as it means that the LDAP client library is in charge of fail-over.  and they are typically terrible.

  It's better to use the fail-over mechanism in FreeRADIUS.  It works, and it's under your control.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Redundant LDAP servers in /etc/freeradius/modules/ldap

Tom Yard
Dear Alan, thanks for your help.

I have two questions now:

1)  There are no commas at all in my definition in
/etc/freeradius/modules/ldap:

ldap {
        server = "server1.company.com"
        server = "server2.company.com"
....
}

2) The failover mechanism works in Freeradius 2.2.5 ?

Thanks again!!



El mar., 27 nov. 2018 a las 19:58, Alan DeKok (<[hidden email]>)
escribió:

> On Nov 27, 2018, at 1:55 PM, Tom Yard <[hidden email]> wrote:
> >
> > Dear people, I have a Freeradius servers vefrsion 2.2.5 using LDAP for
> > authentication.
> >
> > I have just one LDAP server defined in /etc/freeradius/modules/ldap, but
> > yesterday the DC went down and Freeradius was offline.
> >
> > Is it possible to have two redundant LDAP server scheme, defining this in
> > /etc/freeradius/modules/ldap:
> >
> > ldap {
> >        server = "server1.company.com"
> >        server = "server2.company.com"
>
>   No.
>
>   Some LDAP libraries will parse the server name into multiple pieces if
> it contains commas:
>
>         server = "server1,server2"
>
>   I don't recommend that, as it means that the LDAP client library is in
> charge of fail-over.  and they are typically terrible.
>
>   It's better to use the fail-over mechanism in FreeRADIUS.  It works, and
> it's under your control.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: Redundant LDAP servers in /etc/freeradius/modules/ldap

Alan DeKok-2
On Nov 28, 2018, at 8:43 AM, Tom Yard <[hidden email]> wrote:
>
> Dear Alan, thanks for your help.

  Apparently not, because you have asked exactly the same questions again.

> I have two questions now:
>
> 1)  There are no commas at all in my definition in
> /etc/freeradius/modules/ldap:
>
> ldap {
>        server = "server1.company.com"
>        server = "server2.company.com"
> ....
> }

  I'm well aware there's no commas.  Do you think I didn't read your message?

  I told you what to do.  Why not follow instructions?  Do you think if you ask nicely *many* times, I will go "nah, you're right, I lied to you.  You CAN use multiple 'server' entries despite all documentation to the contrary".
 
> 2) The failover mechanism works in Freeradius 2.2.5 ?

  I told you to use it.  Why ask the question again?

  Where does this end?  How many times should I answer the same question before you believe me?

Q: does it work?
A: Yes
Q: Really?
A: Yes, really.
Q: But no... seriously.. really?
A: <sigh>

  Please don't ask the same questions over and over.  It's rude.  Please follow instructions instead of just asking the same question over and over.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html