Hi All,

I am in the process of rebuilding our servers to recent openldap and
freeradius versions in our lab and when done will re-write the ldap howto,
as I know its pretty outdated by now.

Anyway, I've been playing around with using configurable failover for my
ldap setup and ran into an issue.

Now, I have found a work around, so if you are trying to do
this, then read on.  I was also wondering if anyone knows of an easier way
to do this or suggestions on different ways to do group checks.

I started off just creating two ldap instances included into radiusd.conf.

For example:

ldap ldap1 {
 server = ldap1...
...
}
ldap ldap2 {
 server = ldap2...
...
}

Then in the authorize section, I have

...
files
redundant {
 ldap1
 ldap2
 notfound = return
}

In authenicate I have

Auth-Type LDAP {
  ldap1
  ldap2
}

That was working great!  I love this feature.  I could shut down ldap1 or
ldap2 and the autz and auth would just fail over to the other one.

Now, I decided to add Ldap-Group checks to the mix.  We provision our
users with what services they get using radiusgroupname.  So for a user
that had say dial and adsl access, they would get multiple radiusgroupname
attributes, one with dial and one with adsl.

ie:
dn: uid=dusty,ou=users,ou=radius,dc=...
objectclass: radiusprofile
uid: dusty
userpassword: dusty
radiusgroupname: dial
radiusgroupname: adsl

Now, in my users file, I added the following.

DEFAULT   Huntgroup-Name == dial, Ldap-Group == dial
  Fall-Through = no

DEFAULT Auth-Type := Reject

This worked great without redundant setup.  When a user comes in on a dial
line, we check to see if they have radiusgroupname: dial, if so we
authenticate them, if not they fall through to the Reject statement.

However, when I am using redundant, I cannot have this redundancy for
Ldap-Group lookups.  It appears that for Ldap-Group lookups, only the last
ldap instance that I create (ldap2) is actually used for Ldap-Group
lookups.  If I take down ldap1, I can still authenticate.  I get the
redundancy of ldap2 for autz and auth.  However, if I put ldap1 back up
and take down ldap2, I get a failure because I cannot lookup the
Ldap-Group, so it falls through to the reject statement.

So, reading through configurable failover, I tried instantiating both
ldap1 and ldap2.  This was neat, because I could specify ldap1-Ldap-Group
or ldap2-Ldap-Group.

That feature enabled my work around, which is to just make two entries for
each service in the users file.

ie:

DEFAULT Huntgroup-Name == dial, ldap1-Ldap-Group == dial
  Fall-Through = no

DEFAULT Huntgroup-Name == dial, ldap2-Ldap-Group == dial
  Fall-Through = no

However, I was wondering if anyone had any other ideas.  I have a lot of
huntgroups and services, so this will double my entries.  Not a big deal,
just looking to see if there is something easier.

Thanks,

-Dusty Doris


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to