[freeradius] fail-over ldap + reply-item missing

François Mehault Francois.Mehault at netplus.fr
Tue Jun 9 14:18:17 CEST 2009


Hi all

I try to do a fail-over with two ldap on my freeradius. I read this article http://wiki.freeradius.org/Fail-over, I instantiated two openldap modules and i use the keyword redundant in my /raddb/site-available/default in authorize and authenticate section.

redundant {
                Primary-ldap
                Secondary-ldap
}

 I also enabled reply_log
When the two ldap are launched, it works.

reply log :

Tue Jun  9 11:45:53 2009
        Packet-Type = Access-Accept
        Reply-Message = "Utilisateur: fmehault, group: Administrateur"
        Cisco-AVPair = "shell:priv-lvl=15"
        Service-Type = NAS-Prompt-User

But if i stop the Secondary-ldap, I have just :

reply log :

Tue Jun  9 11:49:19 2009
        Packet-Type = Access-Accept

I can see in my log that radiusd try to contact Secondary-ldap at first. Why ? Then it test 3 times, rather than test Primary-ldap, why ?

I will be please to give you more information about my problem to help me to fix it,

++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: dc=netplus,dc=fr -> dc=netplus,dc=fr
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]         expand: (&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusHuntgroupName=%{Huntgroup-name})) -> (&(uid=fmehault)(radiusHuntgroupName=swLabo))
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 10.96.18.4:389, authentication 0
rlm_ldap: bind as cn=root,dc=netplus,dc=fr/secret to 10.96.18.4:389
rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0

[...]

rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server

[...]

rlm_ldap: cn=root,dc=netplus,dc=fr bind to 10.96.18.4:389 failed: Can't contact LDAP server

resume :

                Primary-ldap                     started
                Secondary-ldap               started
                It works

                Primary-ldap                     stoped
                Secondary-ldap               started
                It works

                Primary-ldap                     started
                Secondary-ldap               stoped
                Access-Accept without reply-item ...

If someone can explain me what is my problem

Regards,

François




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090609/979521f9/attachment.html>


More information about the Freeradius-Users mailing list