Hi,
We use radius (freeradius2-2.1.7-7.el5) for user authentication/authorization
on network devices.
Therefore we use a mapping from huntgroups to ldap groups.
We have three ldap server running, and wanted to use "redundant" or
"redundant-load-balance".
I have tested two cases till now, because i already found messages that point
to known problems with ldap redundancy and extends (ldap-groups) within the
users file.
Case 1
================
Defining 3 separate ldap server whithin modules/ldap
ldap ldap-1 {
server = "<IP ldap-1>"
.}
ldap ldap-2 {
server = "<IP ldap-2>"
.}
ldap ldap-2 {
server = "<IP ldap-3>"
And using "redundant" for ldap whithin authorize and authenticate:
authorize {
preprocess
files
redundant {
ldap-1
ldap-2
ldap-3
handled
}
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type ldap-1 {
ldap-1
}
Auth-Type ldap-2 {
ldap-2
}
Auth-Type ldap-3 {
ldap-3
}
Auth-Type LDAP {
redundant {
ldap-1
ldap-2
ldap-3
handled
}
}
}
Problem: radius is using always the same ldap server for group extends.
If this (one!) server fails, radius authentication is not possible.
Very bad, because we have "redundancy" configured, and expected to have zero
outage.
Case 2
================
Defining all three server whithin one section in modules/ldap
ldap {
server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>"
.}
And setting just "ldap" within authorize and authenticate:
authorize {
preprocess
files
ldap
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type LDAP {
ldap
}
}
With this config an other ldap server is choosen, if the one that has handelt
the communication for ldap group extends fails. But failover took 15 minutes.
Thats much too long for us.
(1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)
I found mails regarding similar problems within the archive, but no suitable
solution.
(e.g
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html
from 2006)
Is there a solution for reducing the outage and having loadbalancing for our
case?
I hope that i explained my problem in an understandingly (native language is
german), and didnĀ“t paste too much configs.
Jan
Just a gap of our users file, we have 18 default lines and additional 4 for a
local/PAP user:
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group ==
"<LDAP-GROUP-Team-a>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group ==
"<LDAP-GROUP-Team-b>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group ==
"<LDAP-GROUP-Team-c>"
Login-Service = Telnet
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "nexus", LDAP-Group ==
"<LDAP-GROUP-Team-a>"
Login-Service = Telnet,
Vendor-Specific = 9,
Cisco-AVPair = "shell:roles*\"network-admin\" \"vdc-admin\""
DEFAULT Auth-Type := LDAP, Huntgroup-Name == "brocade", LDAP-Group ==
"<LDAP-GROUP-Team-a>"
Vendor-Specific = 1991,
Foundry-Privilege-Level = 0,
foundry-command-string="*",
foundry-command-exception-flag=0
DEFAULT Auth-Type := LDAP, LDAP-Group == "<LDAP-GROUP-Team-a>"
Service-Type = Administrative-User,
Login-Service = Telnet,
Vendor-Specific = 9,
cisco-avpair = "shell:priv-lvl=15"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
