>>> Defining all three server whithin one section in modules/ldap >>> >>> ldap { >>> server = "<IP ldap-1> <IP ldap-2> <IP ldap-3>" >>> .} >>> >>> And setting just "ldap" within authorize and authenticate: >>> >>> With this config an other ldap server is choosen, if the one that has >>> handelt the communication for ldap group extends fails. But failover took >>> 15 minutes. Thats much too long for us. >>> (1-3 minutes at most will be acceptable, "zero outage" >>> gorgeous/expected)
>>It should not take 15 minutes. >>What is your "net_timeout" set to? >net_timeout = 1 >timelimit = 2 >timeout = 4 >For testing i added a hostroute to an other gateway (=host unreachable) OK, i tested around with a single ldap section. Setting a route to a different interface for testing was a bad idea! I watched at the connections on the ldap port, and made my tests. - I made the first request (with positive answer) - A connection to one server was opend and resides "established"! - adding the route for that server to an other gateway - the established connection is still visible (netstat -anlp | grep <ldap-server-port>) - all requests for the next 15 minutes fail (server not rachable) - after 15 minutes, the esablished connection terminates, and a new connection to an other server is opened. Radius has switched to an other server, and everything went fine from now on. But i made the same test again, with "tcpkill" from the dsniff package, instead of setting a route. And with this tests radius switches imediately to an other server, no request fails! :-) Now is just unclear, will these tests be representative for real ldap-server or connection problems? Jan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html