(RADIATOR) multiple LDAP servers

Jethro R Binks jethro.binks at strath.ac.uk
Thu Sep 21 18:03:59 CDT 2006


On Thu, 21 Sep 2006, Rob Hunter wrote:

> Any idea what the syntax for multiple LDAP servers is in the AuthBy 
> section of radius.cfg?
> 
> currently I have:
> 
> <radius.cfg>
>        <AuthBy LDAP2>
>                Host ldap.server.com
>                Version 3
> ...........
> </snip>
> 
> adding another 'Host' statement below that doesn't seem to give me any 
> error, and taking the first server offline doesn't produce the required 
> results. I'm not wanting to round-robin the requests, just have a 
> failover type scenario.

I do something like this.  Essentially, we have something a bit like:

<AuthBy GROUP>
        Identifier      ldapservers
        AuthBy          ldap1
        AuthBy          ldap2
        AuthBy          ldap3
</AuthBy>

There is an implicit ContinueWhileIgnore, which means if ldap1 was 
unavailable, then try the next.

Previous to the above clause, you need to define the AuthBys:

<AuthBy LDAP2>
        Identifier      ldap1
        Host            ldapservername
	... other ldap stuff, BaseDN, etc
        NoDefault
</AuthBy>

The above notes are a bit quick, but might help; I actually want to ask 
another question which has just arisen for me.  Perhaps the answer is 
obvious, but it is too late for me to work it out for myself today!

Having the above scenario, I want to log which ldap server actually gave 
the response we are using (ie, yes or no to a password check for a user 
in this case); I currently do things like:

# Log authentication activities to a file
<AuthLog FILE>
        Identifier      authlog
...
        LogSuccess      1
        LogFailure      1
        SuccessFormat %l OK   \
                client=%C clientip=%c clientident=%{Client:Identifier} \
                nasip=%N \
                requser=%u user=%U realm=%R pass=* \
                handler=%{Handler:Identifier} \
                rmessage=%{Reply:Reply-Message}
...

I'd like to get the Identifier of the ultimate AuthBy clause which 
produced the answer in that log line too.

Any obvious answer I've missed?

Jethro.

> 
> Regards
> 
> --Rob
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list