DC Cluster for LDAP Authentication?

sreece · Dec 4, 2020, 8:13 PM

Hello,

Currently, I have Microsoft AD authentication server used by OpenVPN for the cert+user authentication pointed to one of my two domain controllers. I was wondering if it's possible to point it instead to a DNS record that is pointed to both servers, or possibly round-robin the load to each DC? Is this worth looking into, or should I just live with the single point of failure if the current DC was down?

I'm using STARTTLS, so I know there'd have to be an internal cert that matched the server name I use in the LDAP hostname, but that's for another post.

Thanks for any advice!

stephenw10 · Dec 6, 2020, 5:09 PM

I've never tried it but I know you can use HAProxy to load balance LDAP. pfSense itself could authenticate against that.

However in OpenVPN you can just define multiple authentication servers and it will try the other one if the first does not respond.

Steve

Napsterbater · Dec 7, 2020, 3:02 AM

@sreece said in DC Cluster for LDAP Authentication?:

I'm using STARTTLS, so I know there'd have to be an internal cert that matched the server name I use in the LDAP hostname, but that's for another post.

You can look at Network Load Balancing, it is built into Windows Server.

sreece · Dec 11, 2020, 2:56 PM

@stephenw10 Good advice. I just used my generated pfsense LDAP CA to issue another cert for the second DC and imported the CA cert and generated server cert into the certificate store on that domain controller. Totally forgot you could choose more that one auth server in the OpenVPN server config. Thanks for reminding me!