redundant-load-balance and Ldap-Group

Elizabeth Steinke liz at twistedpair.cc
Mon Oct 20 03:53:04 CEST 2008


Hi!

I commented out the deny rule and it exhibits the same behavior. I am at a
loss on this on.


2008/10/19 <tnt at kalik.net>

> Same huntgroup - different ldaps; you can't have DEFAULT lines rejecting
> users then. Comment them out and see if it works.
>
> Ivan Kalik
> Kalik Informatika ISP
>
>
> Dana 19/10/2008, "Elizabeth Steinke" <liz at twistedpair.cc> piše:
>
> >Greetings!
> >I'm having an odd problem trying to implement load balancing/redundancy. I
> >have added the following lines to my radiusd.conf
> >
> >authorize {...
> >#
> ># We want redundant ldap lookups
> >##
> >redundant-load-balance {
> >        ldap1
> >        ldap2
> >}
> >##
> ># end redundancy
> >##
> > }
> >
> >modules (...
> >
> >  ldap ldap1 {
> >        }
> >
> >  ldap ldap2 {
> >        }
> >
> > }
> >
> >
> >Scenarios:
> >
> >This occurs using freeradius 1.1.7 (built from source)  on a centos 5 box.
> >If they both are specified correctly everything appears to work ok .
> >
> >When I purposely break ldap1 it works great and uses ldap2 for the LDAP
> >lookup.
> >
> >When I break ldap2 and correct the IP address ldap1 is using to do lookups
> I
> >get an access-reject packet back.
> >
> >Here is the snippet of the log (I am posting it for brevity, I will be
> more
> >than happy to post all of radiusd -X)
> >
> >---log bits for when it rejects the attempt--
> >
> >lm_ldap:  ...some ldap server in ldap fairy land... failed: Can't contact
> >LDAP server
> >rlm_ldap: (re)connection attempt failed
> >rlm_ldap::ldap_groupcmp: search failed
> >rlm_ldap: ldap_release_conn: Release Id: 0
> >    users: Matched entry DEFAULT at line 69
> >
> >here is rule 68-69:
> >
> >DEFAULT Huntgroup-Name =="some huntgroup", Auth-Type = ntlm_auth_cleartext
> >        Fall-Through = 1
> >DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "someldapgroup",
> >Auth-Type := Reject
> >
> >I can  then see rlm_ldap doing the lookup successfully on ldap1
> >
> >lm_ldap: ldap_get_conn: Checking Id: 0
> >rlm_ldap: ldap_get_conn: Got Id: 0
> >rlm_ldap: attempting LDAP reconnection
> >rlm_ldap: (re)connect to ldap1:3268, authentication 0
> >rlm_ldap: waiting for bind result ...
> >rlm_ldap: Bind was successful
> >rlm_ldap: performing search in dc=.....
> >rlm_ldap: looking for check items in directory...
> >rlm_ldap: Adding memberOf as Ldap-Group == "..."
> >
> >
> >What I think is happening is since the LDAP lookup failed the user is
> indeed
> >not a user of the group (doesn't exist etc..)  so it matches on the
> failure,
> > since its first match it doesn't matter that is matches on the second
> >lookup. It still gives me a failure. Is their a way keep it from rejecting
> >the attempt if ldap2 is down?
> >
> >
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20081019/b4b3d597/attachment.html>


More information about the Freeradius-Users mailing list