adding output from radiusd -X Listening on authentication address 127.0.0.1 port 1812 Listening on authentication address 192.168.2.1 port 1812 Listening on accounting address 192.168.2.1 port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 1026, id=21, length=84 User-Name = "prosserg" User-Password = * Service-Type = Authenticate-Only NAS-Identifier = "www.trinity-bris.ac.uk" NAS-IP-Address = 192.168.2.1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "prosserg", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for prosserg expand: %{Stripped-User-Name} -> expand: %{User-Name} -> prosserg expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=prosserg) expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk -> OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.4.250:389, authentication 0 rlm_ldap: bind as cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk/ldapbind to 192.168.4.250:389 rlm_ldap: cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk bind to 192.168.4.250:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns fail Invalid user: [prosserg/educare] (from client esther2-webserver port 0) Sending Access-Reject of id 21 to 192.168.2.1 port 1026 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 21 with timestamp +27 Ready to process requests. - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) -----Original Message----- From: Gary Prosser <gary.prosser@trinity-bris.ac.uk> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: freeradius-users@lists.freeradius.org Subject: unlang and 1st of 4 ldap source fail Date: Thu, 29 Jul 2010 22:19:04 +0100 Hi I am using FreeRADIUS Version 2.0.4 On failure of the first of 4 ldap sources the freeradius server does not continue to the next source but reports 'failed'. In radiusd.conf modules I have defined 4 ldap items ldap ldap1 { server = "192.168.4.250" identity = "cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk" password = * basedn = "OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk" filter = "(samAccountName= %{%{Stripped-User-Name}:-%{User-Name}})" access_attr = "samAccountName" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 3 } ldap ldap2 { [relevant config] } ldap ldap3 { [relevant config] } ldap ldap4{ [relevant config] } in authorise I have authorize { preprocess chap mschap suffix ldap1 if(notfound || fail){ ldap3 if(notfound || fail){ ldap2 if(notfound || fail){ ldap4 } } } files pap } and in authenticate I have authenticate { ldap1 ldap2 ldap3 ldap4 chap } My ldap1 source is down yet server does not continue to next, ldap3 etc but simply reports failed. Prior to ldap source ldap1 going offline all worked as expected ie finding valid logins in ldap3 or ldap2 or ldap4 Is my unlang incorrect ? Thanks, Gary - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).