Behavior on LDAP outage

Alan DeKok aland at deployingradius.com
Wed Jun 13 15:46:00 CEST 2012


Jethro Carr wrote:
> The problem is, the NAS authenticating the users against FreeRadius
> considered the default authentication response (reject) to be a sign
> that FreeRadius on the server was OK and didn't fail over to the
> secondary server.
> 
> I was expecting it to return unreachable or just time out, instead of
> running the default auth behavior, but maybe I've missed a configuration
> option or have incorrect assumptions.

  That's the way that the server works.  It's still up, and *another*
module might authenticate the user.

  If you want the server to not respond, see the "do_not_respond" entry
in policy.conf.

> Aside from "make sure your LDAP server doesn't die", ;-) can anyone make
> any recommendations around the best approach to take, so that in event
> of an LDAP outage on one host, FreeRadius returns a result (or nothing
> at all) that causes the NAS to fail over to the secondary host?

authorize {
	...
	redundant {
		ldap
		do_not_respond
	}
	...
}

  That should work.

  Alan DeKok.


More information about the Freeradius-Users mailing list