Solved

Redundancy for LDAP authentication

Posted on 2004-10-04
11
1,105 Views
Last Modified: 2010-05-18
In order to provide user authentication in our Unix/Linux infrastructure, we have an OpenLDAP installad on the main server having satellite servers/workstations being authenticated over this one via PAM settings.

What is the best way of providing redundancy in such a setup, incase LDAP server is down ? As far as I know, it is impossible to define an alternative LDAP server in PAM configuration, so, what whould be the other alternatives to provide redundancy ?

If there is no solution on the application layer, could there be a solution on network level ? Redirection etc. ? Any software/hardware to perform this ? (I don't have budget for additional equipment but your suggestions would be valuable).

Regards,
0
Comment
Question by:cagri
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 5

Expert Comment

by:zerofield
ID: 12226737
if you're using linux, clustering and high-availability are options, however they arent entirely sophisticated in the linux realm just yet.  you can check out linux virtual servers at:
http://www.linuxvirtualserver.org/

linux high availability at:
http://linux-ha.org/

There's several heartbeat polling scripts ive seen out there that would likely work for this.  LDAP can be a picky bastard sometimes, so im not sure how well this would work.  you would have to manage to replicate the ldap database to both servers, and have a polling going on to determine if it's time to fail off the dead server or not.

i need to research things like this myself.. if i have some free time this week, ill check this out for you.
0
 
LVL 3

Author Comment

by:cagri
ID: 12229865
Dear Zerofield,

It still sound frustrating to me that we don't have a "secondary server" option on PAM !!!

I really intested any polling options and looking forward to hear results of your possible research...
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12231654
I dont know openLDAP and Linux, but virtually any decent LDAP implementation will include the ability to replicate the database to multiple servers (may not be open source, but IBM Secureway Directory Server is a free download and supports 2 tier replication). Once your database is replicated, for this particular scenario, you ought to be able to use some form of load balancing hardware to monitor the status of your servers and only forward client requests to servers which are alive (eg, Cisco Content Switches - the 11000 series or modules for 6500 chassies).

You would need to set the hardware up to be 'sticky' on the client ip address - once a client has connected through the switch, all traffic from that client will be directed at the same node, otherwise you get problems with bind info being lost. Not a problem if your low level systems are using a successful client bind to authenticate the user, more problematic if the low level system is binding to LDAP itself in order to verify user credentials.

HTH
0
 
LVL 3

Author Comment

by:cagri
ID: 12235006
Dear Swinterborn;

I have no problem with replication but need a solution for redirection (or a redundancy option within PAM). As you may agree buying and 6500 is a rather expensive solution :)
0
 
LVL 5

Expert Comment

by:swinterborn
ID: 12236040
I don't know PAM so can't comment on that, but conceptually there are only 3 solutions to redundancy

1) make your client app capable of redundancy, eg, win2k logon on a workstation retrieves a list of DC's and works down the list until it finds a responsive DC.
2) Make your server capable of redundancy, with some form of clustering or network load balancing. eg, client hits a virtual IP and the server side app directs the traffic at an available node. Could be active-passive clustering or something like MS App Centre, where all nodes listen concurrently on the same IP and run internal algorithms to determine which node shold respond
3) Introduce a network device. (the Cisco devices are only examples, don't know if other manufacturers have cheaper products)

If PAM does not support 1), and 3) is too expensive, your only option is 2), in your case, adding high availability options to the Linux OS as zerofield says.

Cheers
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 5

Expert Comment

by:zerofield
ID: 12237270
are you using opengina in conjunction with your openldap?
0
 

Accepted Solution

by:
benjamin_smee earned 200 total points
ID: 12240820
I use pam + openldap and have a fully redundant setup. Your initial statement is incorrect, all you need to do is specify an alternative ldap server in your /etc/ldap.conf, eg:
uri ldaps://ldap1.yoursite.com ldaps://ldap2.yoursite.com

the only time you can't do this is on the actual ldap servers themselves, in that case you need to configure pam to correctly fallback to whatever authentication you want, in my case files.
0
 
LVL 3

Author Comment

by:cagri
ID: 12246119
Zerofiled: No, what is an opengina indeed ?!
0
 
LVL 3

Author Comment

by:cagri
ID: 12246125
Benjamin smee:

This was what I would like to here, let me check this ...
0
 
LVL 5

Expert Comment

by:zerofield
ID: 12248764
opengina is a login replacement for "gina" (thats what the name is for the login screen on win2k+ ... go figure).  was just curious, it would only vaguely relate to this question..

it looks like benjamin has the solution, im going to test it out myself today or tommorrow if time permits.
0
 
LVL 3

Author Comment

by:cagri
ID: 12251039
Ok... Thanks everyone for taking time and responding. It seems it will take a bit until I test the suggested solution. So point goes to Benjamin.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now