[SOLVED] squid_ldap_auth: Can I specify a failover domain controller?
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
squid_ldap_auth: Can I specify a failover domain controller?
I've run into a new problem in setting up a Squid 3.0 server at my office. Before going into what's wrong though, let me describe how we have it set up:
User's IE browsers point to the Squid server as the proxy, and when they open the browser they are prompted for their LDAP credentials. The Squid server authenticates them against one of our Windows S2003 domain controllers and gives them permissions to certain websites based on which AD security group I've put them in. To this end, everything is working perfectly.
However, in order to accomplish this, I use the program squid_ldap_auth. It took forever to get it working the way I want it, but I finally discovered that in order to successfully look up an account on our DC, I have to use the -h parameter to specify the IP of one of my domain controllers.
So, my question.
Is there a way for me to specify a failover host, in case that DC is down or unavailable for any reason? (We have several DC's here.)
I'd like to know if this can be done within the command parameters or within my squid.conf file. I've poured through the man pages of squid_ldap_auth and looked up many squid.conf tutorials without much luck.
Adding a failover or second DC appears to be as simple as adding a comma. Yes... unsurprisingly, a seemingly simple problem has an even simpler solution.
So if I go "squid_ldap_auth (etc etc) -h 192.168.0.1,192.168.0.2" then it will iterate through those IPs until it finds one it can authenticate against. The man page does sort of imply this is possible but doesn't explicitly say it, now that I look back at it.