FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Alan DeKok
aland at ox.org
Wed Jul 13 20:20:13 CEST 2005
Zawacki Jason D Ctr AFRL/IFOS <Jason.Zawacki.ctr at rl.af.mil> wrote:
> I've been trying to get this to work, but it appears, to me, that the
> redundancy is only used for part of the auth process.
What "auth" process? Authorize or authenticate?
> When looking up the
> DN for the user who is trying to authenticate, redundancy works.
During the "authorize" stage.
> After that
> though, it appears that only the first module in the redundant list is
> tried.
Which redundant list? You listed two.
> authenticate {
> Auth-Type LDAP {
> redundant { # wasn't sure if this was necessary
> svr1
If you want redundancy for authentication, you can list that.
> I test by simulating a failure of svr1 using:
Ok. The debug log shows:
> modcall[authorize]: module "svr1" returns fail for request 0
...
> modcall[authorize]: module "svr3" returns fail for request 0
...
> modcall[authorize]: module "svr2" returns ok for request 0
So the redundancy in the "authorize" section works.
> rlm_ldap::ldap_groupcmp: Search returned error
You're using the LDAP-Group attribute, which is set to use svr1,
which is down. There's currently no fail-over for the LDAP-Group
attribute.
Alan DeKok.
More information about the Freeradius-Users
mailing list