I can tell that ldap failover config is a FAQ by the number of hits I found searching for this, but it seems that many of the config examples are for older versions of FreeRADIUS. In any case, this is what I've tried, but it's not working:
In radiusd.conf: ldap ldap1{ server = "serverA.domain.com" basedn = "dc=domain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = no } ldap ldap2{ server = "serverB.domain.com" basedn = "dc=domain,dc=com" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 tls { start_tls = no } dictionary_mapping = ${confdir}/ldap.attrmap edir_account_policy_check = no set_auth_type = yes } ----------- This is what I put in sites-enabled/default AND in sites-enabled/inner-tunnel (it doesn't look right to me, but it's what I found): authorize { preprocess redundant LDAP{ ldap1 ldap2 } Auth-Type LDAP { ldap1 ldap2 } ------------- Again, sorry for the FAQ, but if somebody could put me straight here, I'd appreciate it. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html