FreeRADIUS v1.0.4, rlm_ldap module, and redundancy

Zawacki Jason D Ctr AFRL/IFOS Jason.Zawacki.ctr at rl.af.mil
Wed Jul 13 19:43:32 CEST 2005


Hey folks,
 
Has anyone gotten redundancy working when using LDAP to perform
authentication and authorization?  
 
I've been trying to get this to work, but it appears, to me, that the
redundancy is only used for part of the auth process.  When looking up the
DN for the user who is trying to authenticate, redundancy works.  After that
though, it appears that only the first module in the redundant list is
tried.  Then it ultimately fails.  The LDAP servers are 3 Windows DCs.
 
authorize {
    redundant {
        svr1
        svr3
        svr2
	  notfound = return
    }
    files
}
 
authenticate {	
    Auth-Type LDAP {
        redundant {		# wasn't sure if this was necessary
            svr1
            svr3
            svr2
        }
    }
}
 
I test by simulating a failure of svr1 using:
 
route add -host <svr1 IP> 127.0.0.1 -blackhole

Svr3 happens to be down for maintenance at the moment

Thanks for any help,
Jason

Log:

rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54
        User-Name = "username"
        User-Password = "XXXXX"
  Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
  modcall[authorize]: module "preprocess" returns ok for request 0
modcall: entering group redundant for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for usersname
radius_xlat:  'XXXXXXXX'
radius_xlat:  'XXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX
rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "svr1" returns fail for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat:  'XXXXXXXXXXXXXXXXXXX'
radius_xlat:  'XXXXXXXXXXXXXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr3 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX
rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP
server
rlm_ldap: (re)connection attempt failed
rlm_ldap: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "svr3" returns fail for request 0
rlm_ldap: - authorize
rlm_ldap: performing user authorization for username
radius_xlat:  'XXXXXXXXXXXXXXXxxxxxx'
radius_xlat:  'XXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr2 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter
(&(XXXXXXXX)(XXXXXXXXXX))
rlm_ldap: looking for check items in directory...
rlm_ldap: looking for reply items in directory...
rlm_ldap: user username authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
  modcall[authorize]: module "svr2" returns ok for request 0
modcall: group redundant returns ok for request 0
radius_xlat:  'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
radius_xlat:  '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx
rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't
contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Search returned error
radius_xlat:  'XXXXXXXXXXXXXXXXXXXXXXXXXXXX'
rlm_ldap: Entering ldap_groupcmp()
radius_xlat:  'XXXXXXXXXXXXXXXXXXXXXXXXX'
radius_xlat:
'(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to <svr1 IP>, authentication 0
rlm_ldap: setting TLS mode to 1
rlm_ldap: setting TLS CACert File to /path/to/cacert.pem
rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX
rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX
failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap::ldap_groupcmp: Search returned error
    users: Matched entry DEFAULT at line 224
  modcall[authorize]: module "files" returns ok for request 0
modcall: group authorize returns ok for request 0
  rad_check_password:  Found Auth-Type Reject
  rad_check_password: Auth-Type = Reject, rejecting user
auth: Failed to validate the user.
Login incorrect: [username] (from client client port 0)
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 1 seconds...
--- Walking the entire request list ---
Sending Access-Reject of id 14 to x.x.x.x:3104
Waking up in 4 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 14 with timestamp 42d548f0
Nothing to do.  Sleeping until we see a request.



More information about the Freeradius-Users mailing list