Redundant Load Balanced LDAP authentication fails when Primary is down
Allers, Justin
Justin.Allers at nrc-cnrc.gc.ca
Tue Apr 7 16:06:01 CEST 2009
Hello,
I have two freeradius v2.1.3-1 servers setup to run with redundant load balancing with two Windows Active Directory LDAP servers for authentication. When the LDAP servers are running the radius will load-balance between them and authenticate fine. If I shut the primary LDAP server down radius doesn't authenticate properly against the second LDAP server. I have tested the secondary LDAP as the the primary in the radius configuration and it works fine. If I change the radius config to have a bogus primary name it will then authenticate with the secondary fine. But when it has the correct name and the primary is down the authentication fails. I believe it may have something to do with ntlm_auth but I don't understand why as in the other test instances with the bogus name it works. Below is the LDAP portion of my server along with a part of the debug of what happens when I shutdown the primary LDAP server. If anyone has any suggestions it would be much appreciated.
Thank you,
Justin
Radius.conf
*************************************************************************************************
ldap ds-01 {
server = "ldap1.domain.org"
port = 3268
identity = " bob at domain.org "
password = "****"
basedn = "dc=domain,dc=org"
filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
}
ldap ds-02 {
server = "ldap2.domain.org"
port = 3268
identity = "****"
password = "****"
basedn = "dc=domain,dc=org"
filter = "(sAMAccountname=%{mschap:User-Name:-%{User-Name}})"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
groupmembership_attribute = memberOf
}
instantiate {
exec
expr
expiration
logintime
redundant-load-balance redundant_ldap {
ds-01
ds-02
}
}
****************************************************************************************************
Debug file portion that points to ntlm_auth (as you can see the redundancy works except the ms-chap portion)
****************************************************************************************************
++- entering redundant-load-balance group redundant_ldap {...}
[ds-01] performing user authorization for DoeJ
[ds-01] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ)
[ds-01] expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to ldap1.domain.org:3268, authentication 0
rlm_ldap: bind as bob at domain.org/**** to ldap1.domain.org:3268
rlm_ldap: bob at domain.org bind to ldap1.domain.org:3268 failed: Can't contact LDAP server
rlm_ldap: (re)connection attempt failed
[ds-01] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-01] returns fail
[ds-02] performing user authorization for DoeJ
[ds-02] expand: (sAMAccountname=%{mschap:User-Name:-%{User-Name}}) -> (sAMAccountname=DoeJ)
[ds-02] expand: dc=domain,dc=org -> dc=domain,dc=org
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in dc=domain,dc=org, with filter (sAMAccountname=DoeJ)
[ds-02] looking for check items in directory...
[ds-02] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ds-02] user DoeJ authorized to use remote access
rlm_ldap: ldap_release_conn: Release Id: 0
+++[ds-02] returns ok
++- redundant-load-balance group redundant_ldap returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
[mschap] No Cleartext-Password configured. Cannot create NT-Password.
[mschap] Told to do MS-CHAPv2 for DoeJ with NT-Password
[mschap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[mschap] expand: --username=%{Stripped-User-Name:-%{mschap:User-Name}} -> --username=DoeJ
[mschap] mschap2: 4d
[mschap] expand: --challenge=%{mschap:Challenge:-00} -> --challenge=92aa0495d9c105f7
[mschap] expand: --nt-response=%{mschap:NT-Response:-00} -> --nt-response=ab395391ee828796a6b2458cf767e8fa87eb8530457f7b67
Exec-Program output: No logon servers (0xc000005e)
Exec-Program-Wait: plaintext: No logon servers (0xc000005e)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
[eap] Freeing handler
++[eap] returns reject
Failed to authenticate the user.
Login incorrect: [domain\\DoeJ] (from client switch-man-lan port 0 via TLS tunnel)
****************************************************************************************************
More information about the Freeradius-Users
mailing list