On 28/06/11 16:12, jan.gnep...@t-systems.com wrote:
Problem: radius is using always the same ldap server for group extends.
If this (one!) server fails, radius authentication is not possible.
Very bad, because we have "redundancy" configured, and expected to have zero
outage.
Sorry. The "ldap" module and FreeRADIUS do not work that way.
"LDAP-Group" is a virtual attribute, that is registered by the first
LDAP module to be created; it can't "fail over". It doesn't know about
"redundant {}" or similar.
Defining all three server whithin one section in modules/ldap
ldap {
server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>"
.}
And setting just "ldap" within authorize and authenticate:
With this config an other ldap server is choosen, if the one that has handelt
the communication for ldap group extends fails. But failover took 15 minutes.
Thats much too long for us.
(1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)
It should not take 15 minutes.
What is your "net_timeout" set to?
Unfortunately, when you supply >1 LDAP server, this is handled
internally by libldap, and libldap tries the LDAP servers in series, not
in parallel. So there will always be some outage.
FreeRADIUS does not currently have connection pools, and they're a bit
hard with LDAP because libldap doesn't have a great API.
I found mails regarding similar problems within the archive, but no suitable
solution.
(e.g
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html
from 2006)
Is there a solution for reducing the outage and having loadbalancing for our
case?
At the moment, the "ldap" module does not have the kind of instant
failover you're looking for. You will need some kind of IP loadbalancing
solution in front of your LDAP servers to achieve this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
