>> Problem: radius is using always the same ldap server for group extends.
>> If this (one!) server fails, radius authentication is not possible.
>> Very bad, because we have "redundancy" configured, and expected to have zero
>> outage.
>Sorry. The "ldap" module and FreeRADIUS do not work that way.
>"LDAP-Group" is a virtual attribute, that is registered by the first
>LDAP module to be created; it can't "fail over". It doesn't know about
>"redundant {}" or similar.
OK, thanks for detailed answer.
I read in other threads ansers that already point to that fact.
>> Defining all three server whithin one section in modules/ldap
>>
>> ldap {
>> server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>"
>> .}
>>
>> And setting just "ldap" within authorize and authenticate:
>>
>> With this config an other ldap server is choosen, if the one that has
>> handelt the communication for ldap group extends fails. But failover took 15
>> minutes. Thats much too long for us.
>> (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected)
>It should not take 15 minutes.
>What is your "net_timeout" set to?
net_timeout = 1
timelimit = 2
timeout = 4
For testing i added a hostroute to an other gateway (=host unreachable)
>Unfortunately, when you supply >1 LDAP server, this is handled
>internally by libldap, and libldap tries the LDAP servers in series, not
>in parallel. So there will always be some outage.
As i wrote in my first post, short outage would be ok, but 15 minutes was too
much.
I added the hostroute to the server that opend the first connection when a
request came in (i thought that this is the call regarding ldap-group).
That was normaly the last from the list (server=...).
I made serveral requests, but all end with "server unreachable / reject".
But i could see in tcpdump, that after 15 minutes a lot of connections to an
other ldap server were opend.
>From this moment, all new requests were successfull, to an other ldap.
>FreeRADIUS does not currently have connection pools, and they're a bit
>hard with LDAP because libldap doesn't have a great API.
>>
>> I found mails regarding similar problems within the archive, but no suitable
>> solution.
>> (e.g
>> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html
>> from 2006)
>>
>> Is there a solution for reducing the outage and having loadbalancing for our
>> case?
>At the moment, the "ldap" module does not have the kind of instant
>failover you're looking for. You will need some kind of IP loadbalancing
>solution in front of your LDAP servers to achieve this.
Not as easy as it sounds ;-)
12 radius pairs (singe server with the same config) at 10 locations, 3 ldap
server at 3 different locations
For countervail lost of one or two locations, loadbalancing will be very
complex.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
