dropped request after ldap "constraint violating"

chui chui at lbl.gov
Tue Jan 26 01:12:23 CET 2010


Hi,

>From radius.log, the symptom of the failure goes as follow

1. rlm_ldap receives "constraint violation" reply from ldap.
2. other authentication requests immediately followed the constraint
violation reply failed with "incorrect login"

sample radius log
-
Jan 12 13:44:05 : rlm_ldap: lblempnum=012345, ou=people, o=LBL, c=US bind to
ldap:636 failed Constraint violation
Jan 12 13:44:05 : Login incorrect: [012345] (from client XXX port 24772 cli
0017.abcd.3fe0 via TLS tunnel)
Jan 12 13:44:12 : Login incorrect: [test-account] (from client XXX port 0)
-

At my site, I run radiusd with the -s flag.  Freeradius operation with the
backend ldap server is monitored by nagios running check_radius.  I also
have cacti checking the round trip transaction time between radiusd and ldap
in five minutes interval.  

For trouble shooting purposes, I obtained a copy of the ldap log around the
same time frame.  The ldap log showed that the user account 012345 has
exceeded the failed login attempts and the account was locked out, thus the
"constraint violation".  However, there was no ldap log entry indicating any
bind operation request from the radiusd for the [test-account].

Nagios run the radius monitoring in 1 minute interval, and it usually
recover the next minute or so.  Cacti showed average radiusd-ldap rtt was
under 500ms.

Can anybody shed some light on this failure scenario?

Thanks
Cedric




More information about the Freeradius-Users mailing list