FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Hey folks, Has anyone gotten redundancy working when using LDAP to perform authentication and authorization? I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process. When looking up the DN for the user who is trying to authenticate, redundancy works. After that though, it appears that only the first module in the redundant list is tried. Then it ultimately fails. The LDAP servers are 3 Windows DCs. authorize { redundant { svr1 svr3 svr2 notfound = return } files } authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } } I test by simulating a failure of svr1 using: route add -host <svr1 IP> 127.0.0.1 -blackhole Svr3 happens to be down for maintenance at the moment Thanks for any help, Jason Log: rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54 User-Name = "username" User-Password = "XXXXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for usersname radius_xlat: 'XXXXXXXX' radius_xlat: 'XXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr1" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXXXXX' radius_xlat: 'XXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr3 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr3" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXxxxxxx' radius_xlat: 'XXXXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr2 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter (&(XXXXXXXX)(XXXXXXXXXX)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr2" returns ok for request 0 modcall: group redundant returns ok for request 0 radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error users: Matched entry DEFAULT at line 224 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [username] (from client client port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to x.x.x.x:3104 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 42d548f0 Nothing to do. Sleeping until we see a request.
Zawacki Jason D Ctr AFRL/IFOS <Jason.Zawacki.ctr@rl.af.mil> wrote:
I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process.
What "auth" process? Authorize or authenticate?
When looking up the DN for the user who is trying to authenticate, redundancy works.
During the "authorize" stage.
After that though, it appears that only the first module in the redundant list is tried.
Which redundant list? You listed two.
authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1
If you want redundancy for authentication, you can list that.
I test by simulating a failure of svr1 using:
Ok. The debug log shows:
modcall[authorize]: module "svr1" returns fail for request 0 ... modcall[authorize]: module "svr3" returns fail for request 0 ... modcall[authorize]: module "svr2" returns ok for request 0
So the redundancy in the "authorize" section works.
rlm_ldap::ldap_groupcmp: Search returned error
You're using the LDAP-Group attribute, which is set to use svr1, which is down. There's currently no fail-over for the LDAP-Group attribute. Alan DeKok.
authorize { redundant { svr1 svr3 svr2 notfound = return } files }
authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } }
I test by simulating a failure of svr1 using:
route add -host <svr1 IP> 127.0.0.1 -blackhole
Svr3 happens to be down for maintenance at the moment
Thanks for any help, Jason
Log:
rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54 User-Name = "username" User-Password = "XXXXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for usersname radius_xlat: 'XXXXXXXX' radius_xlat: 'XXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr1" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXXXXX' radius_xlat: 'XXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr3 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr3" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXxxxxxx' radius_xlat: 'XXXXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr2 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter (&(XXXXXXXX)(XXXXXXXXXX)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr2" returns ok for request 0 modcall: group redundant returns ok for request 0 radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error users: Matched entry DEFAULT at line 224 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [username] (from client client port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to x.x.x.x:3104 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 42d548f0 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Wed, 13 Jul 2005, Zawacki Jason D Ctr AFRL/IFOS wrote:
Hey folks,
Has anyone gotten redundancy working when using LDAP to perform authentication and authorization?
Yep, its working for me in the lab.
I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process. When looking up the DN for the user who is trying to authenticate, redundancy works. After that though, it appears that only the first module in the redundant list is tried. Then it ultimately fails. The LDAP servers are 3 Windows DCs.
authorize { redundant { svr1 svr3 svr2 notfound = return } files }
I usually list files before ldap.
authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } }
That is correct.
participants (3)
-
Alan DeKok -
Dusty Doris -
Zawacki Jason D Ctr AFRL/IFOS