AW: LDAP redundant with LDAP-Group within users file

Jan.Gnepper at Jan.Gnepper at
Tue Jul 5 15:52:56 CEST 2011

>>> Defining all three server whithin one section in modules/ldap
>>>          ldap {
>>>                  server = "<IP ldap-1>  <IP ldap-2>  <IP ldap-3>"
>>>                  .}
>>> And setting just "ldap" within authorize and authenticate:
>>> With this config an other ldap server is choosen, if the one that has handelt the communication for ldap group extends fails. But failover took 15 minutes. Thats much too long for us.
>>> (1-3 minutes at most will be acceptable, "zero outage" 
>>> gorgeous/expected)

>>It should not take 15 minutes.

>>What is your "net_timeout" set to?

>net_timeout = 1
>timelimit = 2
>timeout = 4

>For testing i added a hostroute to an other gateway (=host unreachable)

OK, i tested around with a single ldap section.
Setting a route to a different interface for testing was a bad idea!
I watched at the connections on the ldap port, and made my tests.
- I made the first request (with positive answer)
- A connection to one server was opend and resides "established"!
- adding the route for that server to an other gateway
- the established connection is still visible (netstat -anlp | grep <ldap-server-port>)
- all requests for the next 15 minutes fail (server not rachable)
- after 15 minutes, the esablished connection terminates, and a new connection to an other server is opened. Radius has switched to an other server, and everything went fine from now on.

But i made the same test again, with "tcpkill" from the dsniff package, instead of setting a route.
And with this tests radius switches imediately to an other server, no request fails! :-)

Now is just unclear, will these tests be representative for real ldap-server or connection problems?


More information about the Freeradius-Users mailing list