authorize { redundant { svr1 svr3 svr2 notfound = return } files }
authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } }
I test by simulating a failure of svr1 using:
route add -host <svr1 IP> 127.0.0.1 -blackhole
Svr3 happens to be down for maintenance at the moment
Thanks for any help, Jason
Log:
rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54 User-Name = "username" User-Password = "XXXXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for usersname radius_xlat: 'XXXXXXXX' radius_xlat: 'XXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr1" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXXXXX' radius_xlat: 'XXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr3 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr3" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXxxxxxx' radius_xlat: 'XXXXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr2 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter (&(XXXXXXXX)(XXXXXXXXXX)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr2" returns ok for request 0 modcall: group redundant returns ok for request 0 radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error users: Matched entry DEFAULT at line 224 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [username] (from client client port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to x.x.x.x:3104 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 42d548f0 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html