Behavior on LDAP outage

Jethro Carr jethro.carr at jethrocarr.com
Wed Jun 13 01:56:05 CEST 2012 

hi all,

I had an issue today where an LDAP server being relied upon by
FreeRadius was unreachable, however FreeRadius returned the default
authentication status for the user.

The problem is, the NAS authenticating the users against FreeRadius
considered the default authentication response (reject) to be a sign
that FreeRadius on the server was OK and didn't fail over to the
secondary server.

I was expecting it to return unreachable or just time out, instead of
running the default auth behavior, but maybe I've missed a configuration
option or have incorrect assumptions.


The setup is 2x servers, each running Radius and LDAP with LDAP
replication in place.

If the primary server is entirely unreachable, the NASes being used have
no issue failing over to the secondary. It only didn't fail over because
the NAS believed that the primary was working. :-(



Example of a test run when the LDAP server on the host is stopped:

# radtest test test123 127.0.0.1 0 testing1234
Sending Access-Request of id 108 to 127.0.0.1 port 1812
	User-Name = "test"
	User-Password = "test123"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 0
	Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=108, length=108
	Reply-Message = "Authentication denied - user does not belong to any suitable groups to access this NAS"



End of the users file, showing the default reject behavior defined:

# tail /etc/raddb/users
DEFAULT Huntgroup-Name == admins, Ldap-Group == "cn=admins,ou=Group,dc=example,dc=com", User-Profile := "cn=admins,ou=Group,dc=example,dc=com"
	Fall-Through = no

DEFAULT Auth-Type := Reject
	Reply-Message = "Authentication denied - user does not belong to any suitable groups to access this NAS"



And of course, relevant radius logs:

# tail /var/log/radius/radius.log
Wed Jun 13 11:33:14 2012 : Auth: Invalid user: [test] (from client localhost port 0)
Wed Jun 13 11:34:48 2012 : Error:   [ldap] could not start TLS Can't contact LDAP server
Wed Jun 13 11:34:48 2012 : Error:   [ldap] (re)connection attempt failed
Wed Jun 13 11:34:48 2012 : Error:   [ldap] could not start TLS Can't contact LDAP server
Wed Jun 13 11:34:48 2012 : Error:   [ldap] (re)connection attempt failed



Aside from "make sure your LDAP server doesn't die", ;-) can anyone make
any recommendations around the best approach to take, so that in event
of an LDAP outage on one host, FreeRadius returns a result (or nothing
at all) that causes the NAS to fail over to the secondary host?

Using FreeRadius 2.1.12.

many thanks,
jethro

-- 
Jethro Carr
www.jethrocarr.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120613/dd1bc335/attachment.pgp>

More information about the Freeradius-Users mailing list