LDAP + AD fail-over auth



  • I have two SAMBA4 AD DCs and I'm using LDAP to auth against the first one for my OpenVPN stuff. I want to figure out how to have LDAP fail-over to my second DC when the first one goes down, and naturally have things like OpenVPN auth against such fail-over.

    Any ideas?


  • Rebel Alliance Developer Netgate

    Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.



  • Yum! I'll look into that right now ;o

    @jimp:

    Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.



  • Fail-over isn't working for me :(

    I setup a second auth server pointing to the second DC. When I do diagnostics auth test, it does work. But when I turn off DC1 and try to auth through VPN it just times out and complains about a TLS key failing to negotiate.

    Any more keen ideas? D:

    @jimp:

    Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.



  • What i did…based on my network layout.

    We have multiple sites and our main site has the Primary DC which then replicated to other sites..

    All sites are connected thru IPSEC,

    Each site has its own DC, which in turn authenticates for the local pfbox with its own ovpn server.

    Distributed client configurations are set to have multiple sites so incase the primary box in datacentre dies, this way when 1st fails it will connect to the 2nd and 3rd.

    The traffic will then be routed over IPSEC to appropriate destinations...

    its a bit of stretched network but this has worked for our needs.
    cheers



  • Are there any updates on this? I also have two active directory authentication backends selected on the openvpn server config. However when the first server goes down (the first on the list), I dont  see on the logs any attempts to contact the second server. Are there any workarounds for this?

    Using

    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:59:52 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    Regards
    Evelio



  • I'd like to bump this post.
    Facing the same issue.

    2.3.1-RELEASE (amd64)
    built on Tue May 17 18:46:53 CDT 2016
    FreeBSD 10.3-RELEASE-p3

    Any update would be nice since this is even tracked in redmine without any comment. (Tickets #3022 and #5906)


  • Rebel Alliance Developer Netgate

    Set your Server timeout lower on the LDAP server entries, otherwise it won't time out before OpenVPN does.



  • Will try this the day after tomorrow - but thank you in advance!

    Is there any recommended value? It currently defaults to 25 seconds while I don't know, what the value is for OpenVPN.
    I obviously don't want to go too low here.


  • Rebel Alliance Developer Netgate

    We have lowered that to 5 seconds for new server entries made on the current version of pfSense. The best timeout value depends on your LDAP server. If it's fast and responsive, then a few seconds is plenty.



  • Alright, that's something to work with  :)
    Again - thank you very much!
    Will report back, once this is tested.



  • Managed to test this already - with great success!
    Thanks for your help.