LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   squid_ldap_auth: Can I specify a failover domain controller? (http://www.linuxquestions.org/questions/linux-server-73/squid_ldap_auth-can-i-specify-a-failover-domain-controller-756999/)

RedHelix 09-22-2009 09:42 AM

squid_ldap_auth: Can I specify a failover domain controller?
 
Hi everyone,
I've run into a new problem in setting up a Squid 3.0 server at my office. Before going into what's wrong though, let me describe how we have it set up:

User's IE browsers point to the Squid server as the proxy, and when they open the browser they are prompted for their LDAP credentials. The Squid server authenticates them against one of our Windows S2003 domain controllers and gives them permissions to certain websites based on which AD security group I've put them in. To this end, everything is working perfectly.

However, in order to accomplish this, I use the program squid_ldap_auth. It took forever to get it working the way I want it, but I finally discovered that in order to successfully look up an account on our DC, I have to use the -h parameter to specify the IP of one of my domain controllers.

So, my question.

Is there a way for me to specify a failover host, in case that DC is down or unavailable for any reason? (We have several DC's here.)

I'd like to know if this can be done within the command parameters or within my squid.conf file. I've poured through the man pages of squid_ldap_auth and looked up many squid.conf tutorials without much luck.

Much appreciated; you guys are saviors!
Jack

RedHelix 09-22-2009 10:50 AM

Whoop, answered my own question.

Adding a failover or second DC appears to be as simple as adding a comma. Yes... unsurprisingly, a seemingly simple problem has an even simpler solution.

So if I go "squid_ldap_auth (etc etc) -h 192.168.0.1,192.168.0.2" then it will iterate through those IPs until it finds one it can authenticate against. The man page does sort of imply this is possible but doesn't explicitly say it, now that I look back at it.

Hope this helps someone down the road


All times are GMT -5. The time now is 07:34 AM.