I have read a lot of documentation, but can't find how to force FreeRadius to use second LDAP server in case if first one fail. There are many examples about authorize section, but very little about authenticate , which usually failed to switch to second (slave) LDAP in my case.
Below are extracts from the configuration files of FreeRadius to allow it work properly in case of anyone of the LDAP servers fail.
/etc/raddb/radiusd.conf
ldap ldap1{
server = "ldap1.example.com"
port = "389"
basedn = "dc=example,dc=com"
filter = "(&(&(objectclass=posixAccount)(mail=%{Stripped-User-Name:-%{User-Name}}))(gidNimber=1500))"
identity = "cn=readuser,dc=example,dc=com"
password = PASSWORD
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
ldap ldap2{
server = "ldap2.example.com"
port = "389"
basedn = "dc=example,dc=com"
filter = "(&(&(objectclass=posixAccount)(mail=%{Stripped-User-Name:-%{User-Name}}))(gidNimber=1500))"
identity = "cn=readuser,dc=example,dc=com"
password = PASSWORD
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
}
.
.
.
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
}
.
.
.
authenticate {
Auth-Type LDAP1 {
ldap1
}
Auth-Type LDAP2{
ldap2
}
}
#============== END OF radiusd.conf
And small modification in file /etc/raddb/users
#============== /etc/raddb/users
DEFAULT Auth-Type := LDAP1
Service-Type = Login,
Cisco-AVPair ="shell:priv-lvl=1"
Useful links:
FreeRadius fail-over
FreeRadius mailing list
No comments:
Post a comment