I have a FreeRADIUS server that uses ldap as as a storage backend for its users. They are both located on the same machine running UBUNTU Linux 12.04 LTS.
Now I would like to set up another ldap server on another machine to add redundancy so that I could use it in case of my local ldap server's failure. Can anyone tell me how I can do it? Nothing is mentioned in RADIUS configuration files regarding multiple ldap servers.
The same question applies to Samba.
Any help would be greatly appreciated.
This is actually pretty easy, you can just list multiple servers here in the LDAP configuration, separated by commas.
libldap takes care of the rest.
Edit: For later versions of FreeRADIUS 3 the LDAP module expects multiple instances of the server config item. For example:
server = 'ldap1.example.org'
server = 'ldap2.example.org'
server = 'ldap3.example.org'
This is so internally, when the module is rewriting the URIs, they're already broken out into separate strings, which makes the code easier. It also looks a bit cleaner.
Related
I have made a copy of one of our live ldap servers to use in testing environment.
In our live system we have 2 ldap servers in master/master configuration.
My question is on our testing environment as there is only one server how can I delete the offline ldap server from DSCC. I have tried to remove it using the web interface but as its offline it throws an can't communicate error.
I have also tried using the dsccreg remove-server command with no success.
Any ideas?
You probably want to look at MOS note 1920317.1
I'm migrating a lot of websites from Resin 3 to Tomcat 7 (centos 4/apache 2.20) and I'm struggling to determine what type of configuration matches my requirements. In particular:
proxy_ajp vs mod_jk vs mod_proxy for passing requests to Tomcat/Railo
automating deployment of new sites
putting WEB-INF outside the site roots (to simplify cloning sites)
using apache itk with tomcat so each vhost runs as a different user and process
having a single shared railo server administrator config
support for SES URLs with no extension (ie: /path/to/page)
SSL support required
I've read a lot of howtos already but most are out of date or provide conflicting advice. I would like to see some examples from people who run many railo vhosts and deploy them automatically or programmatically. In general I'd prefer efficiency/speed over simplicity as I want to get the most out of limited resources.
I could have asked these questions separately but I want to be sure any answers take into account all the above factors (assuming the requirements are actually compatible).
firstly, check out the vivotech installers - they are a hosting company, so use their installers as your base, they are flawless. (it uses tomcat)
railo 3.3 makes it a lot easier to deploy contexts from admin, so scripting this shouldn't be that hard.
web-inf should be automatically put into a site when it is defined in tomcat
if you give each user a new context-root, then they will have their own admin
every webserver (apache/iis2k8/even tomcat) supports url-rewrite
everything supports ssl
you might also want to look at how you're going to tune your jvm's for this senario, then do some load testing to see how they fare.
drop an email to sean corfield, google railo and his name and you'll get his email.
So I'm setting up a dedicated server using Debian 5 Lenny. I will be using some Atlassian Tools (JIRA, Confluence, Bamboo, and Fisheye). I want to use a local LDAP server to store information for the users that will be accessing these software titles, so that they can use one set of credentials to log in.
I also want webmail users to be configured using LDAP.
However, this is a small operation. Three people. That's why all of the software, including the ldap server, will all be on the same machine.
That said, is it safe to use LDAP to store user credentials (including passwords) in LDAP without using Kerberos? I'm confused as to when Kerberos should be used.
Hypothetically, let's say I had two servers on a subnet. Server A received requests from the outside world, for atlassian tools. Server a communicates to ldap server (internally) on server b. In that case, would I use kerberos?
When do I use Kerberos? When do I not?
I am not setting anything like "Active Directory" up. No Samba either. Users do not need to login to a domain (with access to files on the domain), they just need to login to webapps. But if I was doing LDAP on it's own dedicated machine, then I might want Kerberos?
:confuzzled: :(
-Sam
The simplest possible answer is yes, it is possible to store user names, user ids, and passwords without using Kerberos, and in fact directory services accessed via LDAP are an excellent tool for storing this sort of authentication and authorization information.
Update:
In my opinion, if you do choose an open source server, you will find OpenDS to be superior to OpenLDAP or Apache.
Basically, if you have Kerberos, you do not need any directory server. If you aren't in a corporate environment and are looking for an identity management store, you should definitively go for a directory server like OpenLDAP or Apache Directory. Kerberos require running a correctly set up DNS and NTP server. This might be way to much. Even if you do, those lazy morons from Atlassian still did not implement Kerberos support into their products. You can't even go with that.
I just noticed that there are only three of you, maybe a simple database setup with MySQL would suffice instead of running a full-blown directory server?
Is it possible to for a domain e.g. www.myclient.com to have a sub directory hosted on a completly different (our) server?
They don't want to point subdomain.myclient.com to our servers so they want it as folder www.myclient/subdomain/
Thanks in advance.
As discussed in the comments, your only option is a Proxy. Everything else (Like mod_rewrite / Alias) will do a header redirect, and expose the target address to the user.
However, Apache's proxying doesn't seem to be that complicated. The most basic example is
ProxyPass /mirror/foo/ http://backend.example.com/
Note that a proxy will of course double your traffic, because every byte requested will have to be fetched from the remote machine.
There are two different mechanisms that you might be able to use to accomplish this. What you use will depend on the setup you have as well as what permissions you have on the server from the hosting company if this is not a dedicated server.
The first option is to map to the second server using the file system, then use mod_alias to point the subdirectory to the mapped location. This requires that the two servers be networked together, for instance if you have one server dedicated to a specific server, but own and can safely network the servers at the file system level.
Another option would be to set up Apache to act as a proxy. This does require some advanced programming to configure but the system can be set up so that requests to the specified subfolder would be passed on to the remote web server. This can be used when the remote server can't be networked at the file system level, but lets you simulate the workings of a remote subdomain.
Could you use Amazon CloudFront because it can map different paths to differnt servers ?
I have a half-dozen domains (with associated domain names), hosted locally on Windows/Apache and accessible to the wider internet. At the moment, the name servers are provided by my domain name register at extra cost. I would like to host a domain name service (on the same machine as is hosting the websites).
I have tried BIND without success, I was unable to configure it correctly. I was confused about zones and the syntax of configuration, as well as how to test if it is configured correctly!
Most guides seem directed at users who wish to replicate DNS entries for local caching, whereas I simply want to host a name server (locally) which directs users to my local machine, when they request any of the half-dozen websites I host.
Is there a simple application to host limited Domain Name Service this on Windows (Vista Business), or an obvious tutorial that I haven't found yet? Or was I on the right track with BIND and missing something?
Bind is probably the best choice. The guides you're referring to are talking about configuring a caching resolver. What you want is an authoritative name server. Bind can be a pain to configure because there are so many options, but it's probably worth persevering.
Depends what your budget is..
The DNS Server on Windows 2003 Server is pretty good and easy to configure.
There's a bunch of alternatives list here:
http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software
Simple DNS Plus could maybe do the trick for your case, but I haven't tried it.
Another option is maybe to use Bind and try to find a GUI for it, there's a few existing, usually web based, like webmin and such...