Redundant LDAP servers
-
I'm running pfSense 2.2.1 in a couple different locations with AD environments. All of these environments, of course, have multiple DCs. What I'd like to do is to be able to specify multiple servers for login auth, etc. That way, if the DC that I've pointed pfSense at goes down or is unavailable, then pfSense is still available for login. As it stands right now, when I reboot the DC that pfSense LDAPs against, I cannot login to the firewall.
Additionally, this would be nice for OpenVPN too… :)
If this is a current feature, please let me know how to do it. :) If not, maybe move this to feature requests.
Thanks!
-
Bump?
-
No such thing for WebGUI. For OpenVPN, you are able to select multiple LDAP servers for auth, using the CTRL key. Whether it works or not, no idea.
-
You already have all necessary redundancy built-in. Provide AD domain name in "LDAP Server name", not some DCs FQDN.
-
@pan_2:
You already have all necessary redundancy built-in. Provide AD domain name in "LDAP Server name", not some DCs FQDN.
Well that actually completely fails at least when SSL is involved.
-
i didn't know the LDAP client was smart enough to try multiple servers if it got more than one A record from DNS.
Couldn't you get SSL Certificates with the DC FQDN plus the AD domain name as a SAN in each server?
-
Yes, you could. You don't by default and that's all that matters, pretty much. Good luck convincing those unfortunate guys that need to mess with AD CA to mess with the templates.
