unlang and 1st of 4 ldap source fail
Hi I am using FreeRADIUS Version 2.0.4 On failure of the first of 4 ldap sources the freeradius server does not continue to the next source but reports 'failed'. In radiusd.conf modules I have defined 4 ldap items ldap ldap1 { server = "192.168.4.250" identity = "cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk" password = * basedn = "OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk" filter = "(samAccountName= %{%{Stripped-User-Name}:-%{User-Name}})" access_attr = "samAccountName" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 3 } ldap ldap2 { [relevant config] } ldap ldap3 { [relevant config] } ldap ldap4{ [relevant config] } in authorise I have authorize { preprocess chap mschap suffix ldap1 if(notfound || fail){ ldap3 if(notfound || fail){ ldap2 if(notfound || fail){ ldap4 } } } files pap } and in authenticate I have authenticate { ldap1 ldap2 ldap3 ldap4 chap } My ldap1 source is down yet server does not continue to next, ldap3 etc but simply reports failed. Prior to ldap source ldap1 going offline all worked as expected ie finding valid logins in ldap3 or ldap2 or ldap4 Is my unlang incorrect ? Thanks, Gary - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).
adding output from radiusd -X Listening on authentication address 127.0.0.1 port 1812 Listening on authentication address 192.168.2.1 port 1812 Listening on accounting address 192.168.2.1 port 1813 Ready to process requests. rad_recv: Access-Request packet from host 192.168.2.1 port 1026, id=21, length=84 User-Name = "prosserg" User-Password = * Service-Type = Authenticate-Only NAS-Identifier = "www.trinity-bris.ac.uk" NAS-IP-Address = 192.168.2.1 +- entering group authorize ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop rlm_realm: No '@' in User-Name = "prosserg", looking up realm NULL rlm_realm: No such realm "NULL" ++[suffix] returns noop rlm_ldap: - authorize rlm_ldap: performing user authorization for prosserg expand: %{Stripped-User-Name} -> expand: %{User-Name} -> prosserg expand: (samAccountName=%{%{Stripped-User-Name}:-%{User-Name}}) -> (samAccountName=prosserg) expand: OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk -> OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 192.168.4.250:389, authentication 0 rlm_ldap: bind as cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk/ldapbind to 192.168.4.250:389 rlm_ldap: cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk bind to 192.168.4.250:389 failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap1] returns fail Invalid user: [prosserg/educare] (from client esther2-webserver port 0) Sending Access-Reject of id 21 to 192.168.2.1 port 1026 Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 21 with timestamp +27 Ready to process requests. - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) -----Original Message----- From: Gary Prosser <gary.prosser@trinity-bris.ac.uk> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: freeradius-users@lists.freeradius.org Subject: unlang and 1st of 4 ldap source fail Date: Thu, 29 Jul 2010 22:19:04 +0100 Hi I am using FreeRADIUS Version 2.0.4 On failure of the first of 4 ldap sources the freeradius server does not continue to the next source but reports 'failed'. In radiusd.conf modules I have defined 4 ldap items ldap ldap1 { server = "192.168.4.250" identity = "cn=LDAPBIND,cn=Users,dc=public,dc=trinity-bris,dc=ac,dc=uk" password = * basedn = "OU=Students,DC=PUBLIC,DC=trinity-bris,DC=ac,DC=uk" filter = "(samAccountName= %{%{Stripped-User-Name}:-%{User-Name}})" access_attr = "samAccountName" start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 edir_account_policy_check=no timeout = 4 timelimit = 3 net_timeout = 3 } ldap ldap2 { [relevant config] } ldap ldap3 { [relevant config] } ldap ldap4{ [relevant config] } in authorise I have authorize { preprocess chap mschap suffix ldap1 if(notfound || fail){ ldap3 if(notfound || fail){ ldap2 if(notfound || fail){ ldap4 } } } files pap } and in authenticate I have authenticate { ldap1 ldap2 ldap3 ldap4 chap } My ldap1 source is down yet server does not continue to next, ldap3 etc but simply reports failed. Prior to ldap source ldap1 going offline all worked as expected ie finding valid logins in ldap3 or ldap2 or ldap4 Is my unlang incorrect ? Thanks, Gary - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).
Gary Prosser <gary.prosser@trinity-bris.ac.uk> wrote:
authorize { preprocess chap mschap suffix ldap1 if(notfound || fail){ ldap3 if(notfound || fail){ ldap2 if(notfound || fail){ ldap4 } } } files pap }
Probably better off with failover[1], never got around to sorting it out myself, but it is something like this: ---- modules { ldap ldap1 { [snipped] ok = return } ldap ldap2 { [snipped] ok = return } [snipped] } authorize { preprocess suffix redundant { ldap1 ldap3 ldap2 ldap4 } files pap } ---- No doubt Alan or Arran will correct me. You could probably also have a look at redundant-load-balance[2]. Cheers [1] http://wiki.freeradius.org/Fail-over [2] http://wiki.freeradius.org/Load_balancing -- Alexander Clouter .sigmonster says: Ring around the collar.
Alexander Clouter wrote:
Probably better off with failover[1], never got around to sorting it out myself, but it is something like this: ---- modules { ldap ldap1 { [snipped]
ok = return
No. The "ok = return" thing NEVER goes into a "modules" configuration.
authorize { preprocess suffix
redundant { ldap1 ldap3 ldap2 ldap4 }
That's the right one. Alan DeKok.
Thanks Alan I've got the desired result (if ldap1 result is fail or notfound continue; if ok then stop) using the stanza below authorize { preprocess chap mschap suffix redundant { ldap1 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap3 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap2 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } ldap4 { fail = 1 noop = 2 notfound = 3 ok = return reject = return userlock = return invalid = return } } } Gary - IT Manager Trinity College, Bristol (http://www.trinity-bris.ac.uk) -----Original Message----- From: Alan DeKok <aland@deployingradius.com> Reply-To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: unlang and 1st of 4 ldap source fail Date: Fri, 30 Jul 2010 15:39:09 +0200 Alexander Clouter wrote:
Probably better off with failover[1], never got around to sorting it out myself, but it is something like this: ---- modules { ldap ldap1 { [snipped]
ok = return
No. The "ok = return" thing NEVER goes into a "modules" configuration.
authorize { preprocess suffix
redundant { ldap1 ldap3 ldap2 ldap4 }
That's the right one. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html To ensure you receive email from Trinity College into your inbox, please add @trinity-bris.ac.uk to your email safe list (also known as whitelist).
participants (3)
-
Alan DeKok -
Alexander Clouter -
Gary Prosser