<br><font size=2 face="sans-serif">We are running FreeRADIUS v. 1.0.2</font>
<br><font size=2 face="sans-serif">2x load-balanced LDAP servers - Sun
ONE DS 5.2 on W2k3 Ent. with network load balancing. One of the LDAPs
is the primary and is handling the auth traffic.</font>
<br>
<br><font size=2 face="sans-serif">Here is the issue we're seeing:</font>
<br>
<br><font size=2 face="sans-serif">Approximately 10-20 times per day users
are unable to authenticate - despite using correct credentials. The
radius server reports bind failed because it "Can't contact LDAP server"
The LDAP logs show the bind, search, and reply for the "does
this user exist" request. Sometimes this search is repeated
a couple of times. However, there is no follow-up bind as this user
for checking the creds. If the user tries again in 30secs or more,
they succeed - with the same creds as before. </font>
<br>
<br><font size=2 face="sans-serif">Any ideas? Thanks for any help!</font>
<br>
<br><font size=2 face="sans-serif">Below are excerpts from the logs:</font>
<br>
<br><font size=2 face="sans-serif">------------------------ Radius
log entry ------------------------</font>
<br>
<br><font size=3 face="Times New Roman">rlm_ldap: - authorize</font>
<br><font size=3 face="Times New Roman">rlm_ldap: performing user authorization
for someuser</font>
<br><font size=3 face="Times New Roman">radius_xlat: '(uid=someuser)'</font>
<br><font size=3 face="Times New Roman">radius_xlat: 'ou=people,dc=uttyler,dc=edu'</font>
<br><font size=3 face="Times New Roman">rlm_ldap: ldap_get_conn: Checking
Id: 0</font>
<br><font size=3 face="Times New Roman">rlm_ldap: ldap_get_conn: Got Id:
0</font>
<br><font size=3 face="Times New Roman">rlm_ldap: performing search in
ou=people,dc=uttyler,dc=edu, with filter (uid=someuser)</font>
<br><font size=3 face="Times New Roman">rlm_ldap: ldap_search() failed:
LDAP connection lost.</font>
<br><font size=3 face="Times New Roman">rlm_ldap: Attempting reconnect</font>
<br><font size=3 face="Times New Roman">rlm_ldap: attempting LDAP reconnection</font>
<br><font size=3 face="Times New Roman">rlm_ldap: closing existing LDAP
connection</font>
<br><font size=3 face="Times New Roman">rlm_ldap: (re)connect to ldap.uttyler.edu:389,
authentication 0</font>
<br><font size=3 face="Times New Roman">rlm_ldap: bind as uid=radiususer,ou=special
users,dc=uttyler,dc=edu/radius_password to ldap.uttyler.edu:389</font>
<br><font size=3 face="Times New Roman">rlm_ldap: waiting for bind result
...</font>
<br><font size=3 face="Times New Roman">rlm_ldap: Bind was successful</font>
<br><font size=3 face="Times New Roman">rlm_ldap: performing search in
ou=people,dc=uttyler,dc=edu, with filter (uid=someuser)</font>
<br><font size=3 face="Times New Roman">rlm_ldap: looking for check items
in directory...</font>
<br><font size=3 face="Times New Roman">rlm_ldap: looking for reply items
in directory...</font>
<br><font size=3 face="Times New Roman">rlm_ldap: user someuser authorized
to use remote access</font>
<br><font size=3 face="Times New Roman">rlm_ldap: ldap_release_conn: Release
Id: 0</font>
<br><font size=3 face="Times New Roman"> modcall[authorize]: module
"ldap" returns ok for request 987</font>
<br><font size=3 face="Times New Roman">modcall: group authorize returns
ok for request 987</font>
<br><font size=3 face="Times New Roman"> rad_check_password: Found
Auth-Type LDAP</font>
<br><font size=3 face="Times New Roman">auth: type "LDAP"</font>
<br><font size=3 face="Times New Roman"> Processing the authenticate
section of radiusd.conf</font>
<br><font size=3 face="Times New Roman">modcall: entering group Auth-Type
for request 987</font>
<br><font size=3 face="Times New Roman">rlm_ldap: - authenticate</font>
<br><font size=3 face="Times New Roman">rlm_ldap: login attempt by "someuser"
with password "04191987"</font>
<br><font size=3 face="Times New Roman">rlm_ldap: user DN: uid=someuser,ou=People,dc=uttyler,dc=edu</font>
<br><font size=3 face="Times New Roman">rlm_ldap: (re)connect to ldap.uttyler.edu:389,
authentication 1</font>
<br><font size=3 face="Times New Roman">rlm_ldap: bind as uid=someuser,ou=People,dc=uttyler,dc=edu/04191987
to ldap.uttyler.edu:389</font>
<br><font size=3 face="Times New Roman">rlm_ldap: uid=someuser,ou=People,dc=uttyler,dc=edu
bind to ldap.uttyler.edu:389 failed: Can't contact LDAP server</font>
<br><font size=3 face="Times New Roman">rlm_ldap: ldap_connect() failed</font>
<br><font size=3 face="Times New Roman"> modcall[authenticate]: module
"ldap" returns fail for request 987</font>
<br><font size=3 face="Times New Roman">modcall: group Auth-Type returns
fail for request 987</font>
<br><font size=3 face="Times New Roman">auth: Failed to validate the user.</font>
<br><font size=3 face="Times New Roman">Login incorrect: [someuser/04191987]
(from client AireSpace port 0 cli 10.3.1.72)</font>
<br><font size=3 face="Times New Roman">Delaying request 987 for 1 seconds</font>
<br><font size=3 face="Times New Roman">Finished request 987</font>
<br><font size=3 face="Times New Roman">Going to the next request</font>
<br>
<br>
<br><font size=2 face="sans-serif">-------------------- LDAP Log
------------------------------</font>
<br>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:13 -0600] conn=886
op=1 msgId=2 - SRCH base="ou=people,dc=uttyler,dc=edu" scope=2
filter="(uid=someuser)" attrs="radiusexpiration acctflags
ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe
radiusauthtype radiuscheckitem radiusloginlatport radiusportlimit radiusframedappletalkzone
radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup
radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout
radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid
radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost
radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting
radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol
radiusservicetype radiusreplyitem"</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:13 -0600] conn=886
op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:24 -0600] conn=886
op=2 msgId=3 - SRCH base="ou=people,dc=uttyler,dc=edu" scope=2
filter="(uid=someuser)" attrs="radiusexpiration acctflags
ntpassword lmpassword radiuscallingstationid radiuscalledstationid radiussimultaneoususe
radiusauthtype radiuscheckitem radiusloginlatport radiusportlimit radiusframedappletalkzone
radiusframedappletalknetwork radiusframedappletalklink radiusloginlatgroup
radiusloginlatnode radiusloginlatservice radiusterminationaction radiusidletimeout
radiussessiontimeout radiusclass radiusframedipxnetwork radiuscallbackid
radiuscallbacknumber radiuslogintcpport radiusloginservice radiusloginiphost
radiusframedcompression radiusframedmtu radiusfilterid radiusframedrouting
radiusframedroute radiusframedipnetmask radiusframedipaddress radiusframedprotocol
radiusservicetype radiusreplyitem"</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:24 -0600] conn=886
op=2 msgId=3 - RESULT err=0 tag=101 nentries=1 etime=0</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:25 -0600] conn=887
op=-1 msgId=-1 - fd=1132 slot=1132 LDAP connection from 198.213.57.20 to
198.213.56.5</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:25 -0600] conn=887
op=0 msgId=1 - BIND dn="uid=someuser,ou=People,dc=uttyler,dc=edu"
method=128 version=3</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:25 -0600] conn=887
op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=someuser,ou=people,dc=uttyler,dc=edu"</font>
<br><font size=2 face="sans-serif">[23/Jan/2006:07:47:25 -0600] conn=887
op=1 msgId=2 - UNBIND</font>
<br><font size=2 face="sans-serif"><br>
<br>
Tim Crouch<br>
Systems Administrator<br>
Campus Computing Services<br>
903-566-7476</font>