Thursday, 10 March 2011

FreeRadius and fault tolerant LDAP servers

For some reasons I have to use the authorization and authentication scheme on picture below.














I have read a lot of documentation, but can't find how to force FreeRadius to use second LDAP server in case if first one fail. There are many examples about authorize section, but very little about authenticate , which usually failed to switch to second (slave) LDAP in my case.

Below are extracts from the configuration files of FreeRadius to allow it work properly in case of anyone of the LDAP servers fail.

/etc/raddb/radiusd.conf

ldap ldap1{
server = "ldap1.example.com"
port = "389"
basedn = "dc=example,dc=com"
filter = "(&(&(objectclass=posixAccount)(mail=%{Stripped-User-Name:-%{User-Name}}))(gidNimber=1500))"
identity = "cn=readuser,dc=example,dc=com"
password = PASSWORD
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldap2{
server = "ldap2.example.com"
port = "389"
basedn = "dc=example,dc=com"
filter = "(&(&(objectclass=posixAccount)(mail=%{Stripped-User-Name:-%{User-Name}}))(gidNimber=1500))"
identity = "cn=readuser,dc=example,dc=com"
password = PASSWORD
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
.
.
.
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
}
.
.
.
authenticate {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2{
ldap2
}
}
#============== END OF radiusd.conf

And small modification in file /etc/raddb/users

#============== /etc/raddb/users


DEFAULT Auth-Type := LDAP1
Service-Type = Login,
Cisco-AVPair ="shell:priv-lvl=1"

Useful links:
FreeRadius fail-over
FreeRadius mailing list

No comments: