[RADIATOR] LDAP_APS and Multiple APS servers

Matt Richard matt.richard at fandm.edu
Fri Jul 18 09:07:55 CDT 2008 

Hi, Mike,

Mike McCauley wrote:
> Hello Matt,
>
> On Friday 18 July 2008 00:08, Matt Richard wrote:
>   
>> Hello,
>>
>> I had an issue last week and I want to run it past you to get your
>> thoughts.
>>
>> I'm running Radiator on Mac OSX 10.5 servers.  My Open Directory
>> infrastructure consists of four servers - one OD master and three OD
>> replicas.  I have three instances of Radiator running, each one on an OD
>> replica.
>>
>> I am using an LDAP_APS section to perform password authentication
>> against my OD servers for EAP-TTLS users.
>>
>> When I took my OD master down for maintenance last week, all Radiator
>> instances stopped authenticating users.  As I turned on debugging and
>> looked through the logs, I noticed that Radiator was attempting all
>> authentication against the OD master, which was unavailable at the time.
>>
>> I would suspect that Radiator is using the IP address at the end of the
>> user's authAuthority string, even though I have specified to use the
>> local system through the loopback interface.
>>
>> My LDAP_APS section looks like this:
>>
>> <AuthBy LDAP_APS>
>>     Identifier CheckPass
>>
>>     # Tell Radiator how to talk to the LDAP server
>>     Host            127.0.0.1
>>     Version        3
>>     BaseDN          dc=example,dc=org
>>     UsernameAttr    uid
>>     FailureBackoffTime 30
>>
>>     # don't try uid=DEFAULT
>>     NoDefault
>>
>>     PasswordAttr    authAuthority
>>
>> </AuthBy>
>>
>> Would it be possible to have a configuration option to override the
>> behavior of LDAP_APS as it decides which IP address to use for the
>> password server?
>>
>> I would prefer to have each Radiator instance use the password server on
>> the local system instead of having them all point at only the OD master.
>>
>> Another idea is to use the list of password server replicas in the ldap
>> entry cn=passwordserver,cn=config,dc=example,dc=org and iterate through
>> the list looking for available servers.
>>
>> Assuming I'm correct about the IP address choice made by LDAP_APS (and I
>> could be wrong here...) I would like to get a more robust yet elegant
>> method of choosing a password server.
>>     
>
> Yes, AuthBy LDAP_APS gets the IP address of the password server from the LDAP 
> server. This is (as we understand it) the way it is expected to behave.
>   

Apple OD clients used to get the list of password servers from ldap, 
then starting at the top, send out a query to each server.  The first to 
respond was the server used, which usually ended up being the master.  
This caused the master to become overwhelmed and the replicas to be 
underutilized.  I believe this was the behavior with 10.3.x OD clients 
but it was changed to a more dynamic choice in 10.4.x., with preference 
weighted toward the server used for ldap.
> However, we have now added support for a new parameter PasswordServerAddress 
> to AuthBy LDAP_APS, which forces Radiator
> to use the specified address as the address of the Apple Password
> server, instead of deducing it from the user's password
> details. Addresses may be one of the forms: 203.63.154.59,
> dns/yoke.open.com.au, ipv4/203.63.154.59 or
> ipv6/2001:720:1500:1::a100. This can be useful with
> replicated password servers. 
>
> The support is now in the latest patch set. Please let me know if it works OK 
> for you.
>
>   
It's working very nicely.  I pointed it at the loopback address, 
127.0.0.1, on each OD replica.*

*Thank you for the fix!

-Matt

-- 
Matt Richard '08
Access and Security Coordinator
Computing Services
Franklin & Marshall College
matt.richard at fandm.edu
(717) 291-4157

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20080718/45c81db9/attachment.html>

More information about the radiator mailing list