LDAP Module stops working after HUP (sometimes)

Rudolph Bott r at bott.im
Mon Oct 28 22:47:33 CET 2013 

Hi List,

recently we upgraded our FR installation to 2.1.12 (Debian Wheezy 
paket). We are using rlm_ldap in connection with EAP for wireless 
network authentication. However, every morning the logrotate script 
sends a HUP to freeradius after it rotated its log files. Since that 
update, every once in a while the LDAP module fails after that reload. 
It rejects all users with a line like the following:

Auth: Login incorrect (  [ldap] User not found): [username-xyz]

Since it only happens every couple of days (e.g. once a week), we are 
hesitating to enable the debug mode for several days as it spills the 
user passwords all over the log (yes I know, that has been discussed on 
this list more than enough and I do not want to open that discussion again).

I already checked the changelog from 2.1.12 up to the latest 2.x Version 
and also the Bugtracker on github (and some more recent mails regarding 
LDAP on this list) but could not find much. Has anyone ever experienced 
this problem as well? As there is no newer package in Debian Jessie to 
backport, our next step would probably be to try to build the latest 
version ourself. However, since we can not reproduce the problem yet, 
testing the latest version in a production is certainly not the wistest 
thing to do.

Any hints would be apreciated, thanks!


for reference, this is our current rlm_ldap config:

ldap {
	server = "ldap://server1/ ldap://server2/ ldap://server3/ ldap://server4/"
	basedn = "ou=poeple,dc=domain,dc=de"
	filter = "(uid=%{Stripped-User-Name:-%{mschap:User-Name}})"
	base_filter = "(objectclass=radiusprofile)"
	ldap_connections_number = 5
	timeout = 4
	timelimit = 3
	net_timeout = 1
	tls {
		start_tls = yes
		cacertfile              = /path/to/CA.pem
	}
	access_attr = "dialupAccess"
	dictionary_mapping = ${confdir}/ldap.attrmap
	password_attribute = userPassword
	edir_account_policy_check = no
	groupname_attribute = cn
	groupmembership_filter = 
"(objectClass=posixGroup)(memberUid=%{Stripped-User-Name:-%{mschap:User-Name}})"
	groupmembership_attribute = radiusGroupName
	access_attr_used_for_allow = yes
	set_auth_type = yes
	keepalive {
		idle = 60
		probes = 3
		interval = 3
	}
}


-- 
Mit freundlichen Grüßen / With kind regards
   Rudolph Bott

More information about the Freeradius-Users mailing list