How to find if the LDAP server is not rechable
Peter Lambrechtsen
peter at crypt.co.nz
Tue Apr 21 09:34:29 CEST 2015
On Tue, Apr 21, 2015 at 5:17 PM, Adarsha S <s.adarsha at gmail.com> wrote:
> Thanks for the help Alan.
> But the other_database I'm holding is just a simple C-language hash table
> which is unknown to free radius process.
>
> So I've a logic where based on the result obtained from free-radius I'll
> have to proceed to query my local database which is a simple hashing table.
> If I get same response from free-radius for not reachability and wrong
> credentials , I wont be able to proceed to lookup local database because
> only when ldap server is not reachable I should proceed for local data
> base.
>
> So I need a logic where in free radius returns different error messages.
> Please guide me in the same.
>
This is how we do it, we have Reply-Message going into syslog and do
something about it using our syslog monitor. We tell FR to not respond if
the local database is awol as the other redundant servers will respond:
ldap {
fail = 1
}
#If the record was found in ldap
if (ok) {
. do stuff..
}
#If the record was't found in ldap.
elsif (notfound) {
. do other stuff..
}
else {
#Otherwise something very wrong has happened.
update reply {
Reply-Message := "LDAP Server Error"
}
linelog
do_not_respond
}
Works for us.
>
> Thanks,
> Adarsha
>
> On Tue, Apr 14, 2015 at 5:33 PM, Alan DeKok <aland at deployingradius.com>
> wrote:
>
> > On Apr 14, 2015, at 7:10 AM, Adarsha S <s.adarsha at gmail.com> wrote:
> > > I've a setup with freeradius-server-2.2.3 and Windows AD 2008 [LDAP
> > > server]for authentication.
> > > I need to implement fall back feature where if Windows AD server is not
> > > reachable , I need to authenticate using local database.
> >
> > That's simple enough.
> >
> > > The problem I'm facing is :
> > > When LDAP server is reachable and giving wrong password result is
> > > RLM_MODULE_REJECT. LDAP server not reachable the result is
> > RLM_MODULE_FAIL.
> >
> > Yes... see "man unlang". You can check for different return codes from
> > modules. You can also put the modules into a "redundant" block, where
> the
> > second one is called only when the first one fails.
> >
> > e.g.
> >
> > redundant {
> > ldap
> > other_database
> > }
> >
> > See "man unlang".
> >
> > Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list