configure freeradius to send no response if LDAP database fails
Hello, I am trying to find out if there is a way to configure freeradius to exit or not send a response to queries if the local LDAP database becomes unavailable after the radius server is started. The radiusd service will not start if it cannot connect to the local LDAP database which I would expect. If I stop the LDAP service while freeradius is running I see from the debugging output pf /usr/sbin/radiusd -X that it fails to contact the LDAP server over and over and just keeps sending access-rejects back to our NAS router. Our router is configured to test the radius server with a test username but it will not mark the server as dead and move onto the next server in the server-group if it receives any response from the radius server. Even if an access-reject is received that still satisfies the test and the server does not get marked as dead. I need the server to be marked as dead if LDAP is down and radius is replying with an access-reject for everything. Any help would be appreciated. Thanks, Matt Here is radiusd -X output showing ldap failed and an access-reject being sent: rlm_ldap (ldap): Bind with cn=ldappkrv,ou=Polar,ou=Admins,dc=polarcomm,dc=com to ldap://localhost:389 failed: Can't contact LDAP server rlm_ldap (ldap): Failed to reconnect (1), no free connections are available (2) ldap: ERROR: Failed performing search: Can't contact LDAP server (2) [ldap] = fail (2) } # authorize = fail (2) Using Post-Auth-Type Reject (2) # Executing group from file /etc/raddb/sites-enabled/default (2) Post-Auth-Type REJECT { (2) attr_filter.access_reject: EXPAND %{User-Name} (2) attr_filter.access_reject: --> 9k-radius-test-username (2) attr_filter.access_reject: Matched entry DEFAULT at line 11 (2) [attr_filter.access_reject] = updated (2) } # Post-Auth-Type REJECT = updated (2) Delaying response for 1.000000 seconds [Description: MatthewAlmen]
On May 1, 2018, at 1:33 PM, Matthew Almen <malmen@polartel.com> wrote:
Hello, I am trying to find out if there is a way to configure freeradius to exit or not send a response to queries if the local LDAP database becomes unavailable after the radius server is started. The radiusd service will not start if it cannot connect to the local LDAP database which I would expect. If I stop the LDAP service while freeradius is running I see from the debugging output pf /usr/sbin/radiusd -X that it fails to contact the LDAP server over and over and just keeps sending access-rejects back to our NAS router. Our router is configured to test the radius server with a test username but it will not mark the server as dead and move onto the next server in the server-group if it receives any response from the radius server. Even if an access-reject is received that still satisfies the test and the server does not get marked as dead. I need the server to be marked as dead if LDAP is down and radius is replying with an access-reject for everything. Any help would be appreciated. Thanks, Matt
do this: ldap { fail = 1 } if (fail) { do_not_respond } That should do it. The magic "fail = 1" prevents it from leaving the "authorize" section if the LDAP module fails. It then checks for "fail" and runs the "do_not_respond" policy from raddb/policy.d/control. If you don't have that policy there, upgrade. Alan DeKok.
Allen, Thank you so much for your response. I checked and I do have the policy. I added the config you provided in the LDAP portion of the authorize section of /etc/raddb/sites-enabled/default and it works exactly how you I need it to now! Matt -----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+malmen=polartel.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, May 01, 2018 12:57 PM To: FreeRadius users mailing list Subject: Re: configure freeradius to send no response if LDAP database fails On May 1, 2018, at 1:33 PM, Matthew Almen <malmen@polartel.com> wrote:
Hello, I am trying to find out if there is a way to configure freeradius to exit or not send a response to queries if the local LDAP database becomes unavailable after the radius server is started. The radiusd service will not start if it cannot connect to the local LDAP database which I would expect. If I stop the LDAP service while freeradius is running I see from the debugging output pf /usr/sbin/radiusd -X that it fails to contact the LDAP server over and over and just keeps sending access-rejects back to our NAS router. Our router is configured to test the radius server with a test username but it will not mark the server as dead and move onto the next server in the server-group if it receives any response from the radius server. Even if an access-reject is received that still satisfies the test and the server does not get marked as dead. I need the server to be marked as dead if LDAP is down and radius is replying with an access-reject for everything. Any help would be appreciated. Thanks, Matt
do this: ldap { fail = 1 } if (fail) { do_not_respond } That should do it. The magic "fail = 1" prevents it from leaving the "authorize" section if the LDAP module fails. It then checks for "fail" and runs the "do_not_respond" policy from raddb/policy.d/control. If you don't have that policy there, upgrade. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I was trying to test this out. Thought it was a nice idea. Unfortunately i still see a response from the radius server with the dead ldap. This causes the network device not to go to the next available radius server since radius is responding (with reject). Now if i kill radius, it of course jumps to the next radius server for authentication. * I have the do_not_respond policy in policy.d/control * radius -X shows it responding with "Access-Reject" * I believe i configured the policy it in the correct spot too. sites-enabled/default authorize { .... .... ldap { fail = 1 } if (fail) { do_not_respond } # if previous process update or "ok" and userpw is correct if ((ok || updated) && User-Password) { update { control:Auth-Type := ldap } } else { update reply { Reply-Message := "Login Failed. Please check your Username and Password" } reject } .... .... } debug with ldap alive: https://pastebin.com/VTQjdAM3 ( start on line 949 ) debug with ldap dead: https://pastebin.com/fyw4e4Hs ( start on line 903 ) Im assuming my issue is with my post-auth section, since if no conditions are met then send reject by default. ( line 978 on alive ldap ) ( line 917 on dead ldap ). Is this correct? What would be the recommended way to go about it? Any input would be appreciated. Thank you for the support! -dave On Tue, May 1, 2018 at 4:47 PM, Matthew Almen <malmen@polartel.com> wrote:
Allen, Thank you so much for your response. I checked and I do have the policy. I added the config you provided in the LDAP portion of the authorize section of /etc/raddb/sites-enabled/default and it works exactly how you I need it to now! Matt
-----Original Message----- From: Freeradius-Users [mailto:freeradius-users-bounces+malmen= polartel.com@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Tuesday, May 01, 2018 12:57 PM To: FreeRadius users mailing list Subject: Re: configure freeradius to send no response if LDAP database fails
On May 1, 2018, at 1:33 PM, Matthew Almen <malmen@polartel.com> wrote:
Hello, I am trying to find out if there is a way to configure freeradius
to exit or not send a response to queries if the local LDAP database becomes unavailable after the radius server is started. The radiusd service will not start if it cannot connect to the local LDAP database which I would expect. If I stop the LDAP service while freeradius is running I see from the debugging output pf /usr/sbin/radiusd -X that it fails to contact the LDAP server over and over and just keeps sending access-rejects back to our NAS router. Our router is configured to test the radius server with a test username but it will not mark the server as dead and move onto the next server in the server-group if it receives any response from the radius server. Even if an access-reject is received that still satisfies the test and the server does not get marked as dead. I need the server to be marked as dead if LDAP is down and radius is replying with an access-reject for everything. Any help would be appreciated. Thanks, Matt
do this:
ldap { fail = 1 } if (fail) { do_not_respond }
That should do it.
The magic "fail = 1" prevents it from leaving the "authorize" section if the LDAP module fails.
It then checks for "fail" and runs the "do_not_respond" policy from raddb/policy.d/control. If you don't have that policy there, upgrade.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
On May 2, 2018, at 2:21 PM, Dave Macias <davama@gmail.com> wrote:
I was trying to test this out. Thought it was a nice idea. Unfortunately i still see a response from the radius server with the dead ldap.
The debug log shows why. You are running TONS of policies in the "post-auth" section, one of which is an explicit "reject". See line 949. The solution is to skip all that. If the control list has &Response-Packet-Type := Do-Not-Respond, then *stop doing anything else*. Just skip the entire post-auth section: post-auth { if (control:Response-Packet-Type == Do-Not-Respond) { return } ... everything else... }
Im assuming my issue is with my post-auth section, since if no conditions are met then send reject by default. ( line 978 on alive ldap ) ( line 917 on dead ldap ). Is this correct?
Yes. If you don't want the server to respond, then you need to tell it to not respond. And don't tell it "oh never mind, send a REJECT!" Alan DeKok.
Thank you very much Alan! That was it I thought i needed to do something like that but I couldnt figure out how exactly. Looking at it, makes total sense. Thank you again! On Wed, May 2, 2018 at 2:28 PM, Alan DeKok <aland@deployingradius.com> wrote:
On May 2, 2018, at 2:21 PM, Dave Macias <davama@gmail.com> wrote:
I was trying to test this out. Thought it was a nice idea. Unfortunately i still see a response from the radius server with the dead ldap.
The debug log shows why. You are running TONS of policies in the "post-auth" section, one of which is an explicit "reject". See line 949.
The solution is to skip all that. If the control list has &Response-Packet-Type := Do-Not-Respond, then *stop doing anything else*. Just skip the entire post-auth section:
post-auth { if (control:Response-Packet-Type == Do-Not-Respond) { return }
... everything else... }
Im assuming my issue is with my post-auth section, since if no conditions are met then send reject by default. ( line 978 on alive ldap ) ( line 917 on dead ldap ). Is this correct?
Yes.
If you don't want the server to respond, then you need to tell it to not respond. And don't tell it "oh never mind, send a REJECT!"
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/ list/users.html
participants (3)
-
Alan DeKok -
Dave Macias -
Matthew Almen