Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LDAP + AD fail-over auth

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      BloodyIron
      last edited by

      I have two SAMBA4 AD DCs and I'm using LDAP to auth against the first one for my OpenVPN stuff. I want to figure out how to have LDAP fail-over to my second DC when the first one goes down, and naturally have things like OpenVPN auth against such fail-over.

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • B Offline
          BloodyIron
          last edited by

          Yum! I'll look into that right now ;o

          @jimp:

          Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

          1 Reply Last reply Reply Quote 0
          • B Offline
            BloodyIron
            last edited by

            Fail-over isn't working for me :(

            I setup a second auth server pointing to the second DC. When I do diagnostics auth test, it does work. But when I turn off DC1 and try to auth through VPN it just times out and complains about a TLS key failing to negotiate.

            Any more keen ideas? D:

            @jimp:

            Add both as separate auth servers. Ctrl-click both so both are selected in the VPN auth server selection. If the first is down it will try the second.

            1 Reply Last reply Reply Quote 0
            • A Offline
              abidkhanhk
              last edited by

              What i did…based on my network layout.

              We have multiple sites and our main site has the Primary DC which then replicated to other sites..

              All sites are connected thru IPSEC,

              Each site has its own DC, which in turn authenticates for the local pfbox with its own ovpn server.

              Distributed client configurations are set to have multiple sites so incase the primary box in datacentre dies, this way when 1st fails it will connect to the 2nd and 3rd.

              The traffic will then be routed over IPSEC to appropriate destinations...

              its a bit of stretched network but this has worked for our needs.
              cheers

              1 Reply Last reply Reply Quote 0
              • E Offline
                evelio
                last edited by

                Are there any updates on this? I also have two active directory authentication backends selected on the openvpn server config. However when the first server goes down (the first on the list), I dont  see on the logs any attempts to contact the second server. Are there any workarounds for this?

                Using

                2.2.4-RELEASE (amd64)
                built on Sat Jul 25 19:59:52 CDT 2015
                FreeBSD 10.1-RELEASE-p15

                Regards
                Evelio

                1 Reply Last reply Reply Quote 0
                • S Offline
                  sven_apsware
                  last edited by

                  I'd like to bump this post.
                  Facing the same issue.

                  2.3.1-RELEASE (amd64)
                  built on Tue May 17 18:46:53 CDT 2016
                  FreeBSD 10.3-RELEASE-p3

                  Any update would be nice since this is even tracked in redmine without any comment. (Tickets #3022 and #5906)

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Set your Server timeout lower on the LDAP server entries, otherwise it won't time out before OpenVPN does.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      sven_apsware
                      last edited by

                      Will try this the day after tomorrow - but thank you in advance!

                      Is there any recommended value? It currently defaults to 25 seconds while I don't know, what the value is for OpenVPN.
                      I obviously don't want to go too low here.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        We have lowered that to 5 seconds for new server entries made on the current version of pfSense. The best timeout value depends on your LDAP server. If it's fast and responsive, then a few seconds is plenty.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          sven_apsware
                          last edited by

                          Alright, that's something to work with  :)
                          Again - thank you very much!
                          Will report back, once this is tested.

                          1 Reply Last reply Reply Quote 0
                          • S Offline
                            sven_apsware
                            last edited by

                            Managed to test this already - with great success!
                            Thanks for your help.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.