Hi All, Authentication take more time when 2 ldap servers are configured and one is not reachable. I have configured the redundant ldap module as specified in the doc. authorize { ;; ;; redundant { ldap-server-1 ldap-server-2 } } authenticate { ;; ;; Auth-Type LDAP { redundant { ldap-server-1 ldap-server-2 } }
The corresponding ldap-server module confiugration is, ldap ldap-server-1 { .. .. } ldap ldap-server-2 { .. .. } 1. In the users file, added some 20 DEFAULT entry for ldap-server-1-Ldap-Group for ex., DEFAULT ldap-server-1-Ldap-Group == "g1" 2. After that added 30 DEFAULT entry for ldap-server-2-Ldap-Group, each DEFAULT entry is like, DEFAULT ldap-server-2-Ldap-Group == "g21" .. .. DEFAULT ldap-server-2-Ldap-Group == "g50" The ldap-server-1 is down now. only ldap-server-2 is reachable. When the request comes to the radius server, it goes one entry by entry in "users" file, ie., It connects to ldap-server-1 with the Ldap-Group tries from g1 till g20, and then connects to ldap-server-2 with Ldap-Group from "g21' till g50. If the user is part of Ldap-group "g50" it takes more time to return success, before itself the request times out, and received eap start again from wireless client. If the "number of DEFAULT entry for ldap-server-1" is less than 10, then it works fine. If the default entry increases, the server takes more time to process. I think redundant ldap server configuration is not correct or in some otherway we can fix it. Is it possible to configure the radius server in such a way that, try ldap-server-1 for the first policy, if its reachable then check it against the next policy. If its not reachable mark this server as dead or whatever and ignore processing the next coming DEFAULT entries which matches with ldap-server-1 and try to process ldap-server-2 entries. Please help me in solving this issue. Thanks for any help. Regards, Nikitha
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html