[RADIATOR] LDAP_APS and Multiple APS servers
Matt Richard
matt.richard at fandm.edu
Thu Jul 17 09:08:44 CDT 2008
Hello,
I had an issue last week and I want to run it past you to get your thoughts.
I'm running Radiator on Mac OSX 10.5 servers. My Open Directory
infrastructure consists of four servers - one OD master and three OD
replicas. I have three instances of Radiator running, each one on an OD
replica.
I am using an LDAP_APS section to perform password authentication
against my OD servers for EAP-TTLS users.
When I took my OD master down for maintenance last week, all Radiator
instances stopped authenticating users. As I turned on debugging and
looked through the logs, I noticed that Radiator was attempting all
authentication against the OD master, which was unavailable at the time.
I would suspect that Radiator is using the IP address at the end of the
user's authAuthority string, even though I have specified to use the
local system through the loopback interface.
My LDAP_APS section looks like this:
<AuthBy LDAP_APS>
Identifier CheckPass
# Tell Radiator how to talk to the LDAP server
Host 127.0.0.1
Version 3
BaseDN dc=example,dc=org
UsernameAttr uid
FailureBackoffTime 30
# don't try uid=DEFAULT
NoDefault
PasswordAttr authAuthority
</AuthBy>
Would it be possible to have a configuration option to override the
behavior of LDAP_APS as it decides which IP address to use for the
password server?
I would prefer to have each Radiator instance use the password server on
the local system instead of having them all point at only the OD master.
Another idea is to use the list of password server replicas in the ldap
entry cn=passwordserver,cn=config,dc=example,dc=org and iterate through
the list looking for available servers.
Assuming I'm correct about the IP address choice made by LDAP_APS (and I
could be wrong here...) I would like to get a more robust yet elegant
method of choosing a password server.
Thanks!
-Matt
More information about the radiator
mailing list