Auth-Type Fall-Through & ldap timeouts

Phil Mayers p.mayers at
Wed Apr 18 12:33:08 CEST 2012

On 18/04/12 09:40, Tobias Hachmer wrote:
> Hello list,
> I'm using a sql database for authorization and ldap for authentication.
> For fail-over reasons I want to authenticate against user-password
> information stored in my sql database if my ldap servers are not
> available (all ldap modules return fail).

Why would you do this?

If SQL contains the users, just auth to SQL, surely?

If you can explain your use-case, people might be able to make better 

> For authentication I configured:
> Auth-Type LDAP {
> redundant-load-balance {
> ldap1
> ldap2
> ldap3
> }
> if(fail) {
> pap
> }
> }
> So I set the network interfaces of my ldap servers manually to down and
> startet testing. But the timeouts for every ldap module are too big
> (circa 50 seconds).
> I noticed the timeout directives in the ldap module. In all three ldap
> modules the net_timeout is set to "1".
> Question 1: How can I reduce these timeouts?

Which LDAP client libraries are you using, and which version?

Which version of FreeRADIUS?

What does a "tcpdump" show for port 389 during your tests? Do you get 
TCP RSTs, ICMP errors, or what?

> Question 2: Can I check earlier my ldap servers are available and if not
> skip Auth-Type LDAP or setting Auth-Type to PAP?

Not natively in FreeRADIUS.

LDAP is problematic in this regard; the libldap APIs are pretty weak, 
and don't offer good asynchronous support, or timely error notification 
in some failure modes.

It's difficult for me to see what FreeRADIUS can do in situations like this.

> Question 3: Are there any other opportunities to do Auth-Type PAP if
> Auth-Type LDAP fails?

I'm not sure what you're asking here.

More information about the Freeradius-Users mailing list