freeradius 3.0.15 not tarting if one LDAP server not reachable

Enno Gröper groepeen at
Fri Dec 15 15:01:32 CET 2017


We are running freeradius with authentication against several LDAP 
clusters (2-node):

Example config:

Auth-Type LDAP_CMS {
   redundant-load-balance {  # between ldap servers

If one of those ldap servers (i.e. ldap_cms2) can't be reached 
(temporary failure, maintenance, ...), freeradius won't start:

Thu Dec 14 21:05:31 2017 : Error: rlm_ldap (ldap_cms2): Could not start 
TLS: Can't contact LDAP server
Thu Dec 14 21:05:31 2017 : Error: rlm_ldap (ldap_cms2): Opening 
connection failed (0)
Thu Dec 14 21:05:31 2017 : Error: 
/usr2/freeradius/etc/raddb/mods-enabled/ldap[844]: Instantiation failed 
for module "ldap_cms2"
Thu Dec 14 21:05:36 2017 : Info: Debugger not attached

Are there any ideas how to work around this problem?
Looking at the code rlm_ldap instantiation would fail, if there is any 

If freeradius is already running, there is no problem with a failing 
ldap server. But a freeradius restart in such a situation means a full 
service failure (even if only one of 8 ldap servers is down).

Do you think error handling could be extended here to distinguish 
between temporary and permanent (configuration) errors? Or would this 
add too much complexity?
I assume, this would be a too complex change for 3.x.
At this point in time we don't know, that there will be a redundant 
config for this authentication source.
Should I open a bug for this?

Kind regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5046 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list