FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
Zawacki Jason D Ctr AFRL/IFOS
Jason.Zawacki.ctr at rl.af.mil
Wed Jul 13 20:21:15 CEST 2005
> -----Original Message-----
> From: freeradius-users-bounces at lists.freeradius.org
> [mailto:freeradius-users-bounces at lists.freeradius.org] On
> Behalf Of Alan DeKok
> Sent: Wednesday, July 13, 2005 2:20 PM
> To: FreeRadius users mailing list
> Subject: Re: FreeRADIUS v1.0.4, rlm_ldap module, and redundancy
>
> Zawacki Jason D Ctr AFRL/IFOS <Jason.Zawacki.ctr at rl.af.mil> wrote:
> > I've been trying to get this to work, but it appears, to
> me, that the
> > redundancy is only used for part of the auth process.
>
> What "auth" process? Authorize or authenticate?
>
> > When looking up the
> > DN for the user who is trying to authenticate, redundancy works.
>
> During the "authorize" stage.
>
> > After that
> > though, it appears that only the first module in the
> redundant list is
> > tried.
>
> Which redundant list? You listed two.
>
> > authenticate {
> > Auth-Type LDAP {
> > redundant { # wasn't sure if this was necessary
> > svr1
>
> If you want redundancy for authentication, you can list that.
>
> > I test by simulating a failure of svr1 using:
>
> Ok. The debug log shows:
>
> > modcall[authorize]: module "svr1" returns fail for request 0
> ...
> > modcall[authorize]: module "svr3" returns fail for request 0
> ...
> > modcall[authorize]: module "svr2" returns ok for request 0
>
> So the redundancy in the "authorize" section works.
>
> > rlm_ldap::ldap_groupcmp: Search returned error
>
> You're using the LDAP-Group attribute, which is set to use svr1,
> which is down. There's currently no fail-over for the LDAP-Group
> attribute.
>
I dig, that's kind of what I thought (even if I didn't word it correctly).
Thanks for your help!
Jason
> Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list