Auth-Type Fall-Through & ldap timeouts

Tobias Hachmer lists at
Wed Apr 18 14:16:42 CEST 2012

Am 18.04.2012 12:33, schrieb Phil Mayers:
> On 18/04/12 09:40, Tobias Hachmer wrote:
>> I'm using a sql database for authorization and ldap for 
>> authentication.
>> For fail-over reasons I want to authenticate against user-password
>> information stored in my sql database if my ldap servers are not
>> available (all ldap modules return fail).
> Why would you do this?
Simply as a fallback, in case there is a maintanance on the network 
where the ldap servers are conected to. In this case we need to log on 
to our switches though.

> If SQL contains the users, just auth to SQL, surely?
> If you can explain your use-case, people might be able to make better
> suggestions.
Ok, I configure the same users, these are about 10-15 users, which are 
stored in Active Directory, in the sql database.
The sql database schould be used for authentication only if the ldap 
servers are not available.

>> So I set the network interfaces of my ldap servers manually to down 
>> and
>> startet testing. But the timeouts for every ldap module are too big
>> (circa 50 seconds).
>> I noticed the timeout directives in the ldap module. In all three 
>> ldap
>> modules the net_timeout is set to "1".
>> Question 1: How can I reduce these timeouts?
> Which LDAP client libraries are you using, and which version?
I use debian squeeze with libldap package libldap-2.4-2, an apt-cache 
show libldap-2.4-2 shows the Version: 2.4.23-7.2

> Which version of FreeRADIUS?
FreeRADIUS 2.1.12

> What does a "tcpdump" show for port 389 during your tests? Do you get 
> TCP RSTs, ICMP errors, or what?
So I just sniffed the network for packets and recognized that my 
freeradius machine sends out a lot of arp packets for the dns server.
Then I added the ldap server to the hosts file and now the net_timeout 
= 1 seems to work. The timeouts now are ok and the first radius-request 
is answered in time.

After that I changed my configuration to this:

         Auth-Type LDAP {
                 redundant {
                 redundant-load-balance {

and it works now as expected.

My questions are answered and my problems seems to be solved. If anyone 
has any further suggestions please let me know, either.

Thank you for your reply. You pointed me the right direction.


Tobias Hachmer

More information about the Freeradius-Users mailing list