unlang and 1st of 4 ldap source fail
Gary Prosser
gary.prosser at trinity-bris.ac.uk
Fri Jul 30 10:28:29 CEST 2010
adding output from radiusd -X
Listening on authentication address 127.0.0.1 port 1812
Listening on authentication address 192.168.2.1 port 1812
Listening on accounting address 192.168.2.1 port 1813
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.2.1 port 1026, id=21,
length=84
User-Name = "prosserg"
User-Password = *
Service-Type = Authenticate-Only
NAS-Identifier = "www.trinity-bris.ac.uk"
NAS-IP-Address = 192.168.2.1
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = "prosserg", looking up realm NULL
rlm_realm: No such realm "NULL"
++[suffix] returns noop
rlm_ldap: - authorize
rlm_ldap: performing user authorization for prosserg
expand: %{Stripped-User-Name} ->
expand: %{User-Name} -> prosserg
expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}})
-> (samAccountName=prosserg)
expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk ->
OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to 192.168.4.250:389, authentication 0
rlm_ldap: bind as
cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk/ldapbind to
192.168.4.250:389
rlm_ldap: cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk
bind to 192.168.4.250:389 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap1] returns fail
Invalid user: [prosserg/educare] (from client esther2-webserver port 0)
Sending Access-Reject of id 21 to 192.168.2.1 port 1026
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 21 with timestamp +27
Ready to process requests.
-
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)
-----Original Message-----
From: Gary Prosser <gary.prosser at trinity-bris.ac.uk>
Reply-To: FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
To: freeradius-users at lists.freeradius.org
Subject: unlang and 1st of 4 ldap source fail
Date: Thu, 29 Jul 2010 22:19:04 +0100
Hi
I am using FreeRADIUS Version 2.0.4
On failure of the first of 4 ldap sources the freeradius server does not
continue to the next source but reports 'failed'.
In radiusd.conf modules I have defined 4 ldap items
ldap ldap1 {
server = "192.168.4.250"
identity =
"cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk"
password = *
basedn =
"OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk"
filter = "(samAccountName=
%{%{Stripped-User-Name}:-%{User-Name}})"
access_attr = "samAccountName"
start_tls = no
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
edir_account_policy_check=no
timeout = 4
timelimit = 3
net_timeout = 3
}
ldap ldap2 {
[relevant config]
}
ldap ldap3 {
[relevant config]
}
ldap ldap4{
[relevant config]
}
in authorise I have
authorize {
preprocess
chap
mschap
suffix
ldap1
if(notfound || fail){
ldap3
if(notfound || fail){
ldap2
if(notfound || fail){
ldap4
}
}
}
files
pap
}
and in authenticate I have
authenticate {
ldap1
ldap2
ldap3
ldap4
chap
}
My ldap1 source is down yet server does not continue to next, ldap3 etc
but simply reports failed. Prior to ldap source ldap1 going offline all
worked as expected ie finding valid logins in ldap3 or ldap2 or ldap4
Is my unlang incorrect ?
Thanks, Gary
-
IT Manager
Trinity College, Bristol (http://www.trinity-bris.ac.uk)
To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).
More information about the Freeradius-Users
mailing list