<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi, Mike,<br>
<br>
Mike McCauley wrote:
<blockquote cite="mid:200807180759.45662.mikem@open.com.au" type="cite">
<pre wrap="">Hello Matt,
On Friday 18 July 2008 00:08, Matt Richard wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hello,
I had an issue last week and I want to run it past you to get your
thoughts.
I'm running Radiator on Mac OSX 10.5 servers. My Open Directory
infrastructure consists of four servers - one OD master and three OD
replicas. I have three instances of Radiator running, each one on an OD
replica.
I am using an LDAP_APS section to perform password authentication
against my OD servers for EAP-TTLS users.
When I took my OD master down for maintenance last week, all Radiator
instances stopped authenticating users. As I turned on debugging and
looked through the logs, I noticed that Radiator was attempting all
authentication against the OD master, which was unavailable at the time.
I would suspect that Radiator is using the IP address at the end of the
user's authAuthority string, even though I have specified to use the
local system through the loopback interface.
My LDAP_APS section looks like this:
<AuthBy LDAP_APS>
Identifier CheckPass
# Tell Radiator how to talk to the LDAP server
Host 127.0.0.1
Version 3
BaseDN dc=example,dc=org
UsernameAttr uid
FailureBackoffTime 30
# don't try uid=DEFAULT
NoDefault
PasswordAttr authAuthority
</AuthBy>
Would it be possible to have a configuration option to override the
behavior of LDAP_APS as it decides which IP address to use for the
password server?
I would prefer to have each Radiator instance use the password server on
the local system instead of having them all point at only the OD master.
Another idea is to use the list of password server replicas in the ldap
entry cn=passwordserver,cn=config,dc=example,dc=org and iterate through
the list looking for available servers.
Assuming I'm correct about the IP address choice made by LDAP_APS (and I
could be wrong here...) I would like to get a more robust yet elegant
method of choosing a password server.
</pre>
</blockquote>
<pre wrap=""><!---->
Yes, AuthBy LDAP_APS gets the IP address of the password server from the LDAP
server. This is (as we understand it) the way it is expected to behave.
</pre>
</blockquote>
<br>
Apple OD clients used to get the list of password servers from ldap,
then starting at the top, send out a query to each server. The first
to respond was the server used, which usually ended up being the
master. This caused the master to become overwhelmed and the replicas
to be underutilized. I believe this was the behavior with 10.3.x OD
clients but it was changed to a more dynamic choice in 10.4.x., with
preference weighted toward the server used for ldap.<br>
<blockquote cite="mid:200807180759.45662.mikem@open.com.au" type="cite">
<pre wrap="">
However, we have now added support for a new parameter PasswordServerAddress
to AuthBy LDAP_APS, which forces Radiator
to use the specified address as the address of the Apple Password
server, instead of deducing it from the user's password
details. Addresses may be one of the forms: 203.63.154.59,
dns/yoke.open.com.au, ipv4/203.63.154.59 or
ipv6/2001:720:1500:1::a100. This can be useful with
replicated password servers.
The support is now in the latest patch set. Please let me know if it works OK
for you.
</pre>
</blockquote>
It's working very nicely. I pointed it at the loopback address,
127.0.0.1, on each OD replica.<b><br>
<br>
</b>Thank you for the fix!<br>
<br>
-Matt<br>
<br>
<pre class="moz-signature" cols="72">--
Matt Richard '08
Access and Security Coordinator
Computing Services
Franklin & Marshall College
<a class="moz-txt-link-abbreviated" href="mailto:matt.richard@fandm.edu">matt.richard@fandm.edu</a>
(717) 291-4157
</pre>
</body>
</html>