Redundant Load Balanced LDAP authentication fails when Primary is down

Allers, Justin Justin.Allers at nrc-cnrc.gc.ca
Tue Apr 7 16:06:01 CEST 2009


Hello,

I have two freeradius v2.1.3-1 servers setup to run with redundant load balancing with two Windows Active Directory LDAP servers for authentication.  When the LDAP servers are running the radius will load-balance between them and authenticate fine.  If I shut the primary LDAP server down radius doesn't authenticate properly against the second LDAP server.  I have tested the secondary LDAP as the the primary in the radius configuration and it works fine.  If I change the radius config to have a bogus primary name it will then authenticate with the secondary fine.  But when it has the correct name and the primary is down the authentication fails.  I believe it may have something to do with ntlm_auth but I don't understand why as in the other test instances with the bogus name it works.  Below is the LDAP portion of my server along with  a part of the debug of what happens when I shutdown the primary LDAP server.   If anyone has any suggestions it would be much appreciated. 

Thank you,

Justin


Radius.conf

*************************************************************************************************

ldap ds-01 {
                                server = "ldap1.domain.org"
                                port = 3268
                                identity = " bob at domain.org "
                                password = "****"
                                basedn = "dc=domain,dc=org"
                                filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
                                ldap_connections_number = 5
                                timeout = 4
                                timelimit = 3
                                net_timeout = 1
                                tls {
                                                start_tls = no
                                }
                                dictionary_mapping = ${confdir}/ldap.attrmap
                                edir_account_policy_check = no

                                groupname_attribute = cn
                                groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                                groupmembership_attribute = memberOf
                                 
                }

ldap ds-02 {
                                server = "ldap2.domain.org"
                                port = 3268
                                identity = "****"
                                password = "****"
                                basedn = "dc=domain,dc=org"
                                filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
                                ldap_connections_number = 5
                                timeout = 4
                                timelimit = 3
                                net_timeout = 1
                                tls {
                                                start_tls = no
                                }
                                dictionary_mapping = ${confdir}/ldap.attrmap
                                edir_account_policy_check = no
                                 groupname_attribute = cn
                                groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
                                groupmembership_attribute = memberOf
                }

instantiate {
                                exec
                                expr
                                expiration
                                logintime
                                redundant-load-balance redundant_ldap {
                                                ds-01
                       ds-02
                       }

       }
       
****************************************************************************************************



Debug file portion that points to ntlm_auth (as you can see the redundancy works except the ms-chap portion)

****************************************************************************************************
++- entering redundant-load-balance group redundant_ldap {...}
[ds-01] performing user authorization for DoeJ
[ds-01] 	expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ)
[ds-01] 	expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.domain.org:3268, authentication 0
rlm_ldap: bind as bob at domain.org/**** to ldap1.domain.org:3268
rlm_ldap: bob at domain.org bind to ldap1.domain.org:3268 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
[ds-01] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-01] returns fail
[ds-02] performing user authorization for DoeJ
[ds-02] 	expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ)
[ds-02] 	expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=org, with filter (sAMAccountname=DoeJ)
[ds-02] looking for check items in directory...
[ds-02] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ds-02] user DoeJ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-02] returns ok
++- redundant-load-balance group redundant_ldap returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] No Cleartext-Password configured.  Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for DoeJ with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[mschap] 	expand: --username=%{Stripped-User-Name:-%{mschap:User-Name}} -> --username=DoeJ
[mschap]  mschap2: 4d
[mschap] 	expand: --challenge=%{mschap:Challenge:-00} -> --challenge=92aa0495d9c105f7
[mschap] 	expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ab395391ee828796a6b2458cf767e8fa87eb8530457f7b67
Exec-Program output: No logon servers (0xc000005e) 
Exec-Program-Wait: plaintext: No logon servers (0xc000005e) 
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [domain\\DoeJ] (from client switch-man-lan port 0 via TLS tunnel)
****************************************************************************************************





More information about the Freeradius-Users mailing list