Hi, We use radius (freeradius2-2.1.7-7.el5) for user authentication/authorization on network devices. Therefore we use a mapping from huntgroups to ldap groups.
We have three ldap server running, and wanted to use "redundant" or "redundant-load-balance". I have tested two cases till now, because i already found messages that point to known problems with ldap redundancy and extends (ldap-groups) within the users file. Case 1 ================ Defining 3 separate ldap server whithin modules/ldap ldap ldap-1 { server = "<IP ldap-1>" .} ldap ldap-2 { server = "<IP ldap-2>" .} ldap ldap-2 { server = "<IP ldap-3>" And using "redundant" for ldap whithin authorize and authenticate: authorize { preprocess files redundant { ldap-1 ldap-2 ldap-3 handled } pap } authenticate { Auth-Type PAP { pap } Auth-Type ldap-1 { ldap-1 } Auth-Type ldap-2 { ldap-2 } Auth-Type ldap-3 { ldap-3 } Auth-Type LDAP { redundant { ldap-1 ldap-2 ldap-3 handled } } } Problem: radius is using always the same ldap server for group extends. If this (one!) server fails, radius authentication is not possible. Very bad, because we have "redundancy" configured, and expected to have zero outage. Case 2 ================ Defining all three server whithin one section in modules/ldap ldap { server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>" .} And setting just "ldap" within authorize and authenticate: authorize { preprocess files ldap pap } authenticate { Auth-Type PAP { pap } Auth-Type LDAP { ldap } } With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us. (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected) I found mails regarding similar problems within the archive, but no suitable solution. (e.g http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html from 2006) Is there a solution for reducing the outage and having loadbalancing for our case? I hope that i explained my problem in an understandingly (native language is german), and didnĀ“t paste too much configs. Jan Just a gap of our users file, we have 18 default lines and additional 4 for a local/PAP user: DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-a>" Login-Service = Telnet DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-b>" Login-Service = Telnet DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group == "<LDAP-GROUP-Team-c>" Login-Service = Telnet DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group == "<LDAP-GROUP-Team-a>" Login-Service = Telnet, Vendor-Specific = 9, Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\"" DEFAULT Auth-Type := LDAP, Huntgroup-Name == "brocade", LDAP-Group == "<LDAP-GROUP-Team-a>" Vendor-Specific = 1991, Foundry-Privilege-Level = 0, foundry-command-string="*", foundry-command-exception-flag=0 DEFAULT Auth-Type := LDAP, LDAP-Group == "<LDAP-GROUP-Team-a>" Service-Type = Administrative-User, Login-Service = Telnet, Vendor-Specific = 9, cisco-avpair = "shell:priv-lvl=15" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html