V1.10 File and LDAP Problems

Andrew Browning drew826 at gmail.com
Fri Feb 24 07:07:56 CET 2006

> How do you go about setting the weighting.  I want to be able to use text,
> ldap and mysql so that we have various fall back options with a failure of
> the external databases (ldap and mysql).
I'm pulling this straight from the "configurable_failover.gz" file
from the documentation:


  Rewriting results for single modules

  Normally, when a module fails, the entire section ("authorize",
"accounting", etc.) stops being processed.  In some cases, we may want
to permit "soft failures".  That is, we may want to tell the server
that it is "ok" for a module to fail, and that the failure should not
be treated as a fatal error.

  In this case, the module is treated as a "section", rather than just
as a single line in "radiusd.conf".  The configuration entries for
that section are taken from the "configurable fail-over" code, and not
from the configuration information for that module.

  For example, the "detail" module normally returns "fail" if it is
unable to write its information to the "detail" file.  As a test, we
can configure the server so that it continues processing the request,
even if the "detail" module fails.  The following example shows how:

  #  Handle accounting packets
  accounting {
      detail {
        fail = 1
      redundant {

 The "fail = 1" entry tells the server to remember the "fail" code,
with priority "1".  The normal configuration is "fail = return", which
means "if the detail module fails, stop processing the accounting


So by setting fail equal to a value (1-99999) you override the default
"fail = return."

> Once you can
> login to the LDAP, if the user does not exist in there then LDAP
> should return "noop" for the request. If you want a user to
> exist in
> both the LDAP and the users file with different passwords, that
> requires a bit of tweaking but I've got it working if you need to see
>  Would like to see how you did it.

Here's how I have ldap/unix redundant group setup:

        Auth-Type LDAP {
                ldap {
                        reject = 3
                        fail = 3

If the user exists in the LDAP (module ldap returns ok for the
request), then the Auth-Type is set to LDAP by default (assuming you
have things setup correctly). If the password provided by the user
does not match the one in the LDAP, then instead of flat out rejecting
the user and stopping processing, I assign an arbitrary value of 3 to
the reject codes (I do the same with fail, although looking back I
don't know if there's any real reason to do so). Now rather than
returning reject (or fail) for the entire request, the section calls
the unix module to attempt to authorize via /etc/passwd. You could
just as simply have it check the users file (module "files") or a
number of other methods.

Does that make things any more clear?

More information about the Freeradius-Users mailing list