Link to home
Start Free TrialLog in
Avatar of cagri
cagri

asked on

Redundancy for LDAP authentication

In order to provide user authentication in our Unix/Linux infrastructure, we have an OpenLDAP installad on the main server having satellite servers/workstations being authenticated over this one via PAM settings.

What is the best way of providing redundancy in such a setup, incase LDAP server is down ? As far as I know, it is impossible to define an alternative LDAP server in PAM configuration, so, what whould be the other alternatives to provide redundancy ?

If there is no solution on the application layer, could there be a solution on network level ? Redirection etc. ? Any software/hardware to perform this ? (I don't have budget for additional equipment but your suggestions would be valuable).

Regards,
Avatar of zerofield
zerofield

if you're using linux, clustering and high-availability are options, however they arent entirely sophisticated in the linux realm just yet.  you can check out linux virtual servers at:
http://www.linuxvirtualserver.org/

linux high availability at:
http://linux-ha.org/

There's several heartbeat polling scripts ive seen out there that would likely work for this.  LDAP can be a picky bastard sometimes, so im not sure how well this would work.  you would have to manage to replicate the ldap database to both servers, and have a polling going on to determine if it's time to fail off the dead server or not.

i need to research things like this myself.. if i have some free time this week, ill check this out for you.
Avatar of cagri

ASKER

Dear Zerofield,

It still sound frustrating to me that we don't have a "secondary server" option on PAM !!!

I really intested any polling options and looking forward to hear results of your possible research...
I dont know openLDAP and Linux, but virtually any decent LDAP implementation will include the ability to replicate the database to multiple servers (may not be open source, but IBM Secureway Directory Server is a free download and supports 2 tier replication). Once your database is replicated, for this particular scenario, you ought to be able to use some form of load balancing hardware to monitor the status of your servers and only forward client requests to servers which are alive (eg, Cisco Content Switches - the 11000 series or modules for 6500 chassies).

You would need to set the hardware up to be 'sticky' on the client ip address - once a client has connected through the switch, all traffic from that client will be directed at the same node, otherwise you get problems with bind info being lost. Not a problem if your low level systems are using a successful client bind to authenticate the user, more problematic if the low level system is binding to LDAP itself in order to verify user credentials.

HTH
Avatar of cagri

ASKER

Dear Swinterborn;

I have no problem with replication but need a solution for redirection (or a redundancy option within PAM). As you may agree buying and 6500 is a rather expensive solution :)
I don't know PAM so can't comment on that, but conceptually there are only 3 solutions to redundancy

1) make your client app capable of redundancy, eg, win2k logon on a workstation retrieves a list of DC's and works down the list until it finds a responsive DC.
2) Make your server capable of redundancy, with some form of clustering or network load balancing. eg, client hits a virtual IP and the server side app directs the traffic at an available node. Could be active-passive clustering or something like MS App Centre, where all nodes listen concurrently on the same IP and run internal algorithms to determine which node shold respond
3) Introduce a network device. (the Cisco devices are only examples, don't know if other manufacturers have cheaper products)

If PAM does not support 1), and 3) is too expensive, your only option is 2), in your case, adding high availability options to the Linux OS as zerofield says.

Cheers
are you using opengina in conjunction with your openldap?
ASKER CERTIFIED SOLUTION
Avatar of benjamin_smee
benjamin_smee

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cagri

ASKER

Zerofiled: No, what is an opengina indeed ?!
Avatar of cagri

ASKER

Benjamin smee:

This was what I would like to here, let me check this ...
opengina is a login replacement for "gina" (thats what the name is for the login screen on win2k+ ... go figure).  was just curious, it would only vaguely relate to this question..

it looks like benjamin has the solution, im going to test it out myself today or tommorrow if time permits.
Avatar of cagri

ASKER

Ok... Thanks everyone for taking time and responding. It seems it will take a bit until I test the suggested solution. So point goes to Benjamin.