[RADIATOR] LDAP_APS and Multiple APS servers

Mike McCauley mikem at open.com.au
Thu Jul 17 16:59:45 CDT 2008 

Hello Matt,

On Friday 18 July 2008 00:08, Matt Richard wrote:
> Hello,
>
> I had an issue last week and I want to run it past you to get your
> thoughts.
>
> I'm running Radiator on Mac OSX 10.5 servers.  My Open Directory
> infrastructure consists of four servers - one OD master and three OD
> replicas.  I have three instances of Radiator running, each one on an OD
> replica.
>
> I am using an LDAP_APS section to perform password authentication
> against my OD servers for EAP-TTLS users.
>
> When I took my OD master down for maintenance last week, all Radiator
> instances stopped authenticating users.  As I turned on debugging and
> looked through the logs, I noticed that Radiator was attempting all
> authentication against the OD master, which was unavailable at the time.
>
> I would suspect that Radiator is using the IP address at the end of the
> user's authAuthority string, even though I have specified to use the
> local system through the loopback interface.
>
> My LDAP_APS section looks like this:
>
> <AuthBy LDAP_APS>
>     Identifier CheckPass
>
>     # Tell Radiator how to talk to the LDAP server
>     Host            127.0.0.1
>     Version        3
>     BaseDN          dc=example,dc=org
>     UsernameAttr    uid
>     FailureBackoffTime 30
>
>     # don't try uid=DEFAULT
>     NoDefault
>
>     PasswordAttr    authAuthority
>
> </AuthBy>
>
> Would it be possible to have a configuration option to override the
> behavior of LDAP_APS as it decides which IP address to use for the
> password server?
>
> I would prefer to have each Radiator instance use the password server on
> the local system instead of having them all point at only the OD master.
>
> Another idea is to use the list of password server replicas in the ldap
> entry cn=passwordserver,cn=config,dc=example,dc=org and iterate through
> the list looking for available servers.
>
> Assuming I'm correct about the IP address choice made by LDAP_APS (and I
> could be wrong here...) I would like to get a more robust yet elegant
> method of choosing a password server.

Yes, AuthBy LDAP_APS gets the IP address of the password server from the LDAP 
server. This is (as we understand it) the way it is expected to behave.

However, we have now added support for a new parameter PasswordServerAddress 
to AuthBy LDAP_APS, which forces Radiator
to use the specified address as the address of the Apple Password
server, instead of deducing it from the user's password
details. Addresses may be one of the forms: 203.63.154.59,
dns/yoke.open.com.au, ipv4/203.63.154.59 or
ipv6/2001:720:1500:1::a100. This can be useful with
replicated password servers. 

The support is now in the latest patch set. Please let me know if it works OK 
for you.

Cheers.

>
> Thanks!
>
> -Matt
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco etc 
on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list