Feature #10843
openAllow user manager settings to specify multiple authentication servers
0%
Description
We would really like to have redundancy with our LDAP authentication for the pfSense web interface, but this appears to be impossible at the moment.
Related issues
Updated by Jim Pingle almost 3 years ago
- Has duplicate Feature #12682: RADIUS authentication fallback for pfSense GUI added
Updated by Jim Pingle almost 3 years ago
- Subject changed from RFE: Allow user manager settings to specify multiple authentication servers to Allow user manager settings to specify multiple authentication servers
Updated by Denis Grilli over 1 year ago
Just here to push this up. This feature would be very useful on enterprise environments.
Updated by Ryan Whitlock about 1 year ago
Denis Grilli wrote in #note-4:
Just here to push this up. This feature would be very useful on enterprise environments.
I concur! Please make this a higher priority.
Updated by Chris Linstruth 10 months ago
This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.
Updated by Jim Pingle 10 months ago
I've been thinking about this a bit lately since we've added something similar in the upcoming TNSR release.
Like there, we could have a way to define "server groups" and then rather than offering a list of all auth servers, we offer the groups where users can now select servers. Inside each group you could only list the servers you want to use and the order in which they should be queried.
And then for example GUI/system auth you'd pick it by group, same with OpenVPN server auth, IPsec user auth, etc.
Chris Linstruth wrote in #note-6:
This feature should also include the ability to define specific failover behavior if the configured authentication servers are either unreachable or return auth failures.
For local auth this could happen naturally if the auth server groups had individual entries for each server plus "Local" and then you could set a group to only include remote servers and not the local auth, which would then be excluded.
But beyond that it would also be helpful to have a choice between "use the next server on any failure" vs "use the next server only if the first is unreachable" so users can consider an auth failure a failure at any point.