Zawacki Jason D Ctr AFRL/IFOS <Jason.Zawacki.ctr@rl.af.mil> wrote:
I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process.
What "auth" process? Authorize or authenticate?
When looking up the DN for the user who is trying to authenticate, redundancy works.
During the "authorize" stage.
After that though, it appears that only the first module in the redundant list is tried.
Which redundant list? You listed two.
authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1
If you want redundancy for authentication, you can list that.
I test by simulating a failure of svr1 using:
Ok. The debug log shows:
modcall[authorize]: module "svr1" returns fail for request 0 ... modcall[authorize]: module "svr3" returns fail for request 0 ... modcall[authorize]: module "svr2" returns ok for request 0
So the redundancy in the "authorize" section works.
rlm_ldap::ldap_groupcmp: Search returned error
You're using the LDAP-Group attribute, which is set to use svr1, which is down. There's currently no fail-over for the LDAP-Group attribute. Alan DeKok.