[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1150
  • Last Modified:

Redundancy for LDAP authentication

In order to provide user authentication in our Unix/Linux infrastructure, we have an OpenLDAP installad on the main server having satellite servers/workstations being authenticated over this one via PAM settings.

What is the best way of providing redundancy in such a setup, incase LDAP server is down ? As far as I know, it is impossible to define an alternative LDAP server in PAM configuration, so, what whould be the other alternatives to provide redundancy ?

If there is no solution on the application layer, could there be a solution on network level ? Redirection etc. ? Any software/hardware to perform this ? (I don't have budget for additional equipment but your suggestions would be valuable).

Regards,
0
cagri
Asked:
cagri
  • 5
  • 3
  • 2
  • +1
1 Solution
 
zerofieldCommented:
if you're using linux, clustering and high-availability are options, however they arent entirely sophisticated in the linux realm just yet.  you can check out linux virtual servers at:
http://www.linuxvirtualserver.org/

linux high availability at:
http://linux-ha.org/

There's several heartbeat polling scripts ive seen out there that would likely work for this.  LDAP can be a picky bastard sometimes, so im not sure how well this would work.  you would have to manage to replicate the ldap database to both servers, and have a polling going on to determine if it's time to fail off the dead server or not.

i need to research things like this myself.. if i have some free time this week, ill check this out for you.
0
 
cagriAuthor Commented:
Dear Zerofield,

It still sound frustrating to me that we don't have a "secondary server" option on PAM !!!

I really intested any polling options and looking forward to hear results of your possible research...
0
 
swinterbornCommented:
I dont know openLDAP and Linux, but virtually any decent LDAP implementation will include the ability to replicate the database to multiple servers (may not be open source, but IBM Secureway Directory Server is a free download and supports 2 tier replication). Once your database is replicated, for this particular scenario, you ought to be able to use some form of load balancing hardware to monitor the status of your servers and only forward client requests to servers which are alive (eg, Cisco Content Switches - the 11000 series or modules for 6500 chassies).

You would need to set the hardware up to be 'sticky' on the client ip address - once a client has connected through the switch, all traffic from that client will be directed at the same node, otherwise you get problems with bind info being lost. Not a problem if your low level systems are using a successful client bind to authenticate the user, more problematic if the low level system is binding to LDAP itself in order to verify user credentials.

HTH
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
cagriAuthor Commented:
Dear Swinterborn;

I have no problem with replication but need a solution for redirection (or a redundancy option within PAM). As you may agree buying and 6500 is a rather expensive solution :)
0
 
swinterbornCommented:
I don't know PAM so can't comment on that, but conceptually there are only 3 solutions to redundancy

1) make your client app capable of redundancy, eg, win2k logon on a workstation retrieves a list of DC's and works down the list until it finds a responsive DC.
2) Make your server capable of redundancy, with some form of clustering or network load balancing. eg, client hits a virtual IP and the server side app directs the traffic at an available node. Could be active-passive clustering or something like MS App Centre, where all nodes listen concurrently on the same IP and run internal algorithms to determine which node shold respond
3) Introduce a network device. (the Cisco devices are only examples, don't know if other manufacturers have cheaper products)

If PAM does not support 1), and 3) is too expensive, your only option is 2), in your case, adding high availability options to the Linux OS as zerofield says.

Cheers
0
 
zerofieldCommented:
are you using opengina in conjunction with your openldap?
0
 
benjamin_smeeCommented:
I use pam + openldap and have a fully redundant setup. Your initial statement is incorrect, all you need to do is specify an alternative ldap server in your /etc/ldap.conf, eg:
uri ldaps://ldap1.yoursite.com ldaps://ldap2.yoursite.com

the only time you can't do this is on the actual ldap servers themselves, in that case you need to configure pam to correctly fallback to whatever authentication you want, in my case files.
0
 
cagriAuthor Commented:
Zerofiled: No, what is an opengina indeed ?!
0
 
cagriAuthor Commented:
Benjamin smee:

This was what I would like to here, let me check this ...
0
 
zerofieldCommented:
opengina is a login replacement for "gina" (thats what the name is for the login screen on win2k+ ... go figure).  was just curious, it would only vaguely relate to this question..

it looks like benjamin has the solution, im going to test it out myself today or tommorrow if time permits.
0
 
cagriAuthor Commented:
Ok... Thanks everyone for taking time and responding. It seems it will take a bit until I test the suggested solution. So point goes to Benjamin.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now