>> Problem: radius is using always the same ldap server for group extends. >> If this (one!) server fails, radius authentication is not possible. >> Very bad, because we have "redundancy" configured, and expected to have zero >> outage.
>Sorry. The "ldap" module and FreeRADIUS do not work that way. >"LDAP-Group" is a virtual attribute, that is registered by the first >LDAP module to be created; it can't "fail over". It doesn't know about >"redundant {}" or similar. OK, thanks for detailed answer. I read in other threads ansers that already point to that fact. >> Defining all three server whithin one section in modules/ldap >> >> ldap { >> server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>" >> .} >> >> And setting just "ldap" within authorize and authenticate: >> >> With this config an other ldap server is choosen, if the one that has >> handelt the communication for ldap group extends fails. But failover took 15 >> minutes. Thats much too long for us. >> (1-3 minutes at most will be acceptable, "zero outage" gorgeous/expected) >It should not take 15 minutes. >What is your "net_timeout" set to? net_timeout = 1 timelimit = 2 timeout = 4 For testing i added a hostroute to an other gateway (=host unreachable) >Unfortunately, when you supply >1 LDAP server, this is handled >internally by libldap, and libldap tries the LDAP servers in series, not >in parallel. So there will always be some outage. As i wrote in my first post, short outage would be ok, but 15 minutes was too much. I added the hostroute to the server that opend the first connection when a request came in (i thought that this is the call regarding ldap-group). That was normaly the last from the list (server=...). I made serveral requests, but all end with "server unreachable / reject". But i could see in tcpdump, that after 15 minutes a lot of connections to an other ldap server were opend. >From this moment, all new requests were successfull, to an other ldap. >FreeRADIUS does not currently have connection pools, and they're a bit >hard with LDAP because libldap doesn't have a great API. >> >> I found mails regarding similar problems within the archive, but no suitable >> solution. >> (e.g >> http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg23408.html >> from 2006) >> >> Is there a solution for reducing the outage and having loadbalancing for our >> case? >At the moment, the "ldap" module does not have the kind of instant >failover you're looking for. You will need some kind of IP loadbalancing >solution in front of your LDAP servers to achieve this. Not as easy as it sounds ;-) 12 radius pairs (singe server with the same config) at 10 locations, 3 ldap server at 3 different locations For countervail lost of one or two locations, loadbalancing will be very complex. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html