redundant-load-balance and Ldap-Group

Elizabeth Steinke liz at twistedpair.cc
Sun Oct 19 23:45:36 CEST 2008 

Greetings!
I'm having an odd problem trying to implement load balancing/redundancy. I
have added the following lines to my radiusd.conf

authorize {...
#
# We want redundant ldap lookups
##
redundant-load-balance {
        ldap1
        ldap2
}
##
# end redundancy
##
 }

modules (...

  ldap ldap1 {
        }

  ldap ldap2 {
        }

 }


Scenarios:

This occurs using freeradius 1.1.7 (built from source)  on a centos 5 box.
If they both are specified correctly everything appears to work ok .

When I purposely break ldap1 it works great and uses ldap2 for the LDAP
lookup.

When I break ldap2 and correct the IP address ldap1 is using to do lookups I
get an access-reject packet back.

Here is the snippet of the log (I am posting it for brevity, I will be more
than happy to post all of radiusd -X)

---log bits for when it rejects the attempt--

lm_ldap:  ...some ldap server in ldap fairy land... failed: Can't contact
LDAP server
rlm_ldap: (re)connection attempt failed
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
    users: Matched entry DEFAULT at line 69

here is rule 68-69:

DEFAULT Huntgroup-Name =="some huntgroup", Auth-Type = ntlm_auth_cleartext
        Fall-Through = 1
DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "someldapgroup",
Auth-Type := Reject

I can  then see rlm_ldap doing the lookup successfully on ldap1

lm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1:3268, authentication 0
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind was successful
rlm_ldap: performing search in dc=.....
rlm_ldap: looking for check items in directory...
rlm_ldap: Adding memberOf as Ldap-Group == "..."


What I think is happening is since the LDAP lookup failed the user is indeed
not a user of the group (doesn't exist etc..)  so it matches on the failure,
 since its first match it doesn't matter that is matches on the second
lookup. It still gives me a failure. Is their a way keep it from rejecting
the attempt if ldap2 is down?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081019/7cd7576c/attachment.html>

More information about the Freeradius-Users mailing list