FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Zawacki Jason D Ctr AFRL/IFOS
Jason.Zawacki.ctr at rl.af.mil
Wed Jul 13 19:43:32 CEST 2005
Hey folks,
Has anyone gotten redundancy working when using LDAP to perform
authentication and authorization?
I've been trying to get this to work, but it appears, to me, that the
redundancy is only used for part of the auth process. When looking up the
DN for the user who is trying to authenticate, redundancy works. After that
though, it appears that only the first module in the redundant list is
tried. Then it ultimately fails. The LDAP servers are 3 Windows DCs.
authorize {
redundant {
svr1
svr3
svr2
notfound = return
}
files
}
authenticate {
Auth-Type LDAP {
redundant { # wasn't sure if this was necessary
svr1
svr3
svr2
}
}
}
I test by simulating a failure of svr1 using:
route add -host <svr1 IP> 127.0.0.1 -blackhole
Svr3 happens to be down for maintenance at the moment
Thanks for any help,
Jason
Log:
rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54
User-Name = "username"
User-Password = "XXXXX"
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for usersname
radius_xlat: 'XXXXXXXX'
radius_xlat: 'XXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX
rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "svr1" returns fail for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat: 'XXXXXXXXXXXXXXXXXXX'
radius_xlat: 'XXXXXXXXXXXXXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr3 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX
rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP
server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "svr3" returns fail for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat: 'XXXXXXXXXXXXXXXxxxxxx'
radius_xlat: 'XXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr2 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter
(&(XXXXXXXX)(XXXXXXXXXX))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "svr2" returns ok for request 0
modcall: group redundant returns ok for request 0
radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx
rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't
contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Search returned error
radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: Entering ldap_groupcmp()
radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXX'
radius_xlat:
'(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX
failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Search returned error
users: Matched entry DEFAULT at line 224
modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Reject
rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [username] (from client client port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 14 to x.x.x.x:3104
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 14 with timestamp 42d548f0
Nothing to do. Sleeping until we see a request.
More information about the Freeradius-Users
mailing list