Behavior on LDAP outage
Alan DeKok
aland at deployingradius.com
Wed Jun 13 15:46:00 CEST 2012
Jethro Carr wrote:
> The problem is, the NAS authenticating the users against FreeRadius
> considered the default authentication response (reject) to be a sign
> that FreeRadius on the server was OK and didn't fail over to the
> secondary server.
>
> I was expecting it to return unreachable or just time out, instead of
> running the default auth behavior, but maybe I've missed a configuration
> option or have incorrect assumptions.
That's the way that the server works. It's still up, and *another*
module might authenticate the user.
If you want the server to not respond, see the "do_not_respond" entry
in policy.conf.
> Aside from "make sure your LDAP server doesn't die", ;-) can anyone make
> any recommendations around the best approach to take, so that in event
> of an LDAP outage on one host, FreeRadius returns a result (or nothing
> at all) that causes the NAS to fail over to the secondary host?
authorize {
...
redundant {
ldap
do_not_respond
}
...
}
That should work.
Alan DeKok.
More information about the Freeradius-Users
mailing list