Multiple IP Addresses for LDAP Server
-
One of our LDAP servers failed and our OpenVPN stopped working because that was the only LDAP server set up in the firewall. Is there a way to specify multiple IP addresses for the LDAP server in the pfSense Authentication Server configuration? Since each server has the same configuration, it seems like it shouldn't be necessary to set it up as a completely new server. This is especially true because we have three different sets of servers, so we would end up having a very large number of servers tried unnecessarily when authenticating against the later domains on the list.
-
@yakatz You can create LDAP server entry for each IP address and select all of them on the OpenVPN server configuration page
-
@viktor_g said in Multiple IP Addresses for LDAP Server:
@yakatz You can create LDAP server entry for each IP address and select all of them on the OpenVPN server configuration page
I understand that, but let me restate the concern with doing that:
I have two different domains:
If I had to create separate server entries, if a server responds that a user is not valid, won't OpenVPN just try the next server for the same domain? This seems like substantial extra load, especially if some of those servers are accessed over a VPN to another site (Domain A - Server 3 in this example).
Is there any way to do something like this, so if the server returns that a user is not valid, OpenVPN will move on to the next domain?
-
If they are all the same LDAP tree, why not create TCP HA-Proxy VIP even if it just for localhost?
-
@hydrian Interesting idea. I will give it a try and report back here.
-
Looking at the source: for the record, PHP's
ldap_connect
supports multiple connection strings, but there is some validation done in thesrc/etc/inc/auth.inc#L1423
which builds the connection string in a way that can't add multiple strings. I might look at a patch for this myself too. -
@yakatz Also a word of warning, as some who deals with PHP's LDAP bindings on a regular basis, ldap_connect is incredibly picky about TLS/SSL connections. And until about PHP 7.3, they are very hard to override and allow insecure connection even for testing.