Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redundant LDAP servers

    Scheduled Pinned Locked Moved webGUI
    7 Posts 4 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coachmark2
      last edited by

      I'm running pfSense 2.2.1 in a couple different locations with AD environments. All of these environments, of course, have multiple DCs. What I'd like to do is to be able to specify multiple servers for login auth, etc. That way, if the DC that I've pointed pfSense at goes down or is unavailable, then pfSense is still available for login. As it stands right now, when I reboot the DC that pfSense LDAPs against, I cannot login to the firewall.

      Additionally, this would be nice for OpenVPN too… :)

      If this is a current feature, please let me know how to do it. :) If not, maybe move this to feature requests.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • C
        coachmark2
        last edited by

        Bump?

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned
          last edited by

          No such thing for WebGUI. For OpenVPN, you are able to select multiple LDAP servers for auth, using the CTRL key. Whether it works or not, no idea.

          1 Reply Last reply Reply Quote 0
          • S
            Soyokaze
            last edited by

            You already have all necessary redundancy built-in. Provide AD domain name in "LDAP Server name", not some DCs FQDN.

            Need full pfSense in a cloud? PM for details!

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned
              last edited by

              @pan_2:

              You already have all necessary redundancy built-in. Provide AD domain name in "LDAP Server name", not some DCs FQDN.

              Well that actually completely fails at least when SSL is involved.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                i didn't know the LDAP client was smart enough to try multiple servers if it got more than one A record from DNS.

                Couldn't you get SSL Certificates with the DC FQDN plus the AD domain name as a SAN in each server?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  Yes, you could. You don't by default and that's all that matters, pretty much. Good luck convincing those unfortunate guys that need to mess with AD CA to mess with the templates.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.