<div dir="ltr">Hi!<br><br>I commented out the deny rule and it exhibits the same behavior. I am at a loss on this on. <br><br><br><div class="gmail_quote">2008/10/19 <span dir="ltr"><<a href="mailto:tnt@kalik.net">tnt@kalik.net</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Same huntgroup - different ldaps; you can't have DEFAULT lines rejecting<br>
users then. Comment them out and see if it works.<br>
<br>
Ivan Kalik<br>
Kalik Informatika ISP<br>
<br>
<br>
Dana 19/10/2008, "Elizabeth Steinke" <liz@twistedpair.cc> piše:<br>
<div><div></div><div class="Wj3C7c"><br>
>Greetings!<br>
>I'm having an odd problem trying to implement load balancing/redundancy. I<br>
>have added the following lines to my radiusd.conf<br>
><br>
>authorize {...<br>
>#<br>
># We want redundant ldap lookups<br>
>##<br>
>redundant-load-balance {<br>
> ldap1<br>
> ldap2<br>
>}<br>
>##<br>
># end redundancy<br>
>##<br>
> }<br>
><br>
>modules (...<br>
><br>
> ldap ldap1 {<br>
> }<br>
><br>
> ldap ldap2 {<br>
> }<br>
><br>
> }<br>
><br>
><br>
>Scenarios:<br>
><br>
>This occurs using freeradius 1.1.7 (built from source) on a centos 5 box.<br>
>If they both are specified correctly everything appears to work ok .<br>
><br>
>When I purposely break ldap1 it works great and uses ldap2 for the LDAP<br>
>lookup.<br>
><br>
>When I break ldap2 and correct the IP address ldap1 is using to do lookups I<br>
>get an access-reject packet back.<br>
><br>
>Here is the snippet of the log (I am posting it for brevity, I will be more<br>
>than happy to post all of radiusd -X)<br>
><br>
>---log bits for when it rejects the attempt--<br>
><br>
>lm_ldap: ...some ldap server in ldap fairy land... failed: Can't contact<br>
>LDAP server<br>
>rlm_ldap: (re)connection attempt failed<br>
>rlm_ldap::ldap_groupcmp: search failed<br>
>rlm_ldap: ldap_release_conn: Release Id: 0<br>
> users: Matched entry DEFAULT at line 69<br>
><br>
>here is rule 68-69:<br>
><br>
>DEFAULT Huntgroup-Name =="some huntgroup", Auth-Type = ntlm_auth_cleartext<br>
> Fall-Through = 1<br>
>DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "someldapgroup",<br>
>Auth-Type := Reject<br>
><br>
>I can then see rlm_ldap doing the lookup successfully on ldap1<br>
><br>
>lm_ldap: ldap_get_conn: Checking Id: 0<br>
>rlm_ldap: ldap_get_conn: Got Id: 0<br>
>rlm_ldap: attempting LDAP reconnection<br>
>rlm_ldap: (re)connect to ldap1:3268, authentication 0<br>
>rlm_ldap: waiting for bind result ...<br>
>rlm_ldap: Bind was successful<br>
>rlm_ldap: performing search in dc=.....<br>
>rlm_ldap: looking for check items in directory...<br>
>rlm_ldap: Adding memberOf as Ldap-Group == "..."<br>
><br>
><br>
>What I think is happening is since the LDAP lookup failed the user is indeed<br>
>not a user of the group (doesn't exist etc..) so it matches on the failure,<br>
> since its first match it doesn't matter that is matches on the second<br>
>lookup. It still gives me a failure. Is their a way keep it from rejecting<br>
>the attempt if ldap2 is down?<br>
><br>
><br>
<br>
</div></div>-<br>
List info/subscribe/unsubscribe? See <a href="http://www.freeradius.org/list/users.html" target="_blank">http://www.freeradius.org/list/users.html</a><br>
</blockquote></div><br></div>