Hi All,
I am in the process of rebuilding our servers to recent openldap and
freeradius versions in our lab and when done will re-write the ldap howto,
as I know its pretty outdated by now.
Anyway, I've been playing around with using configurable failover for my
ldap setup and ran into an issue.
Now, I have found a work around, so if you are trying to do
this, then read on. I was also wondering if anyone knows of an easier way
to do this or suggestions on different ways to do group checks.
I started off just creating two ldap instances included into radiusd.conf.
For example:
ldap ldap1 {
server = ldap1...
...
}
ldap ldap2 {
server = ldap2...
...
}
Then in the authorize section, I have
...
files
redundant {
ldap1
ldap2
notfound = return
}
In authenicate I have
Auth-Type LDAP {
ldap1
ldap2
}
That was working great! I love this feature. I could shut down ldap1 or
ldap2 and the autz and auth would just fail over to the other one.
Now, I decided to add Ldap-Group checks to the mix. We provision our
users with what services they get using radiusgroupname. So for a user
that had say dial and adsl access, they would get multiple radiusgroupname
attributes, one with dial and one with adsl.
ie:
dn: uid=dusty,ou=users,ou=radius,dc=...
objectclass: radiusprofile
uid: dusty
userpassword: dusty
radiusgroupname: dial
radiusgroupname: adsl
Now, in my users file, I added the following.
DEFAULT Huntgroup-Name == dial, Ldap-Group == dial
Fall-Through = no
DEFAULT Auth-Type := Reject
This worked great without redundant setup. When a user comes in on a dial
line, we check to see if they have radiusgroupname: dial, if so we
authenticate them, if not they fall through to the Reject statement.
However, when I am using redundant, I cannot have this redundancy for
Ldap-Group lookups. It appears that for Ldap-Group lookups, only the last
ldap instance that I create (ldap2) is actually used for Ldap-Group
lookups. If I take down ldap1, I can still authenticate. I get the
redundancy of ldap2 for autz and auth. However, if I put ldap1 back up
and take down ldap2, I get a failure because I cannot lookup the
Ldap-Group, so it falls through to the reject statement.
So, reading through configurable failover, I tried instantiating both
ldap1 and ldap2. This was neat, because I could specify ldap1-Ldap-Group
or ldap2-Ldap-Group.
That feature enabled my work around, which is to just make two entries for
each service in the users file.
ie:
DEFAULT Huntgroup-Name == dial, ldap1-Ldap-Group == dial
Fall-Through = no
DEFAULT Huntgroup-Name == dial, ldap2-Ldap-Group == dial
Fall-Through = no
However, I was wondering if anyone had any other ideas. I have a lot of
huntgroups and services, so this will double my entries. Not a big deal,
just looking to see if there is something easier.
Thanks,
-Dusty Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
