configure freeradius to send no response if LDAP database fails

[Matthew Almen]

Hello, I am trying to find out if there is a way to configure freeradius to exit or not send a response to queries if the local LDAP database becomes unavailable after the radius server is started.  The radiusd service will not start if it cannot connect to the local LDAP database which I would expect.  If I stop the LDAP service while freeradius is running I see from the debugging output pf /usr/sbin/radiusd -X that it fails to contact the LDAP server over and over and just keeps sending access-rejects back to our NAS router.  Our router is configured to test the radius server with a test username but it will not mark the server as dead and move onto the next server in the server-group if it receives any response from the radius server.  Even if an access-reject is received that still satisfies the test and the server does not get marked as dead.  I need the server to be marked as dead if LDAP is down and radius is replying with an access-reject for everything.  Any help would be appreciated.  Thanks, Matt

Here is radiusd -X output showing ldap failed and an access-reject being sent:

rlm_ldap (ldap): Bind with cn=ldappkrv,ou=Polar,ou=Admins,dc=polarcomm,dc=com to ldap://localhost:389 failed: Can't contact LDAP server
rlm_ldap (ldap): Failed to reconnect (1), no free connections are available
(2) ldap: ERROR: Failed performing search: Can't contact LDAP server
(2)     [ldap] = fail
(2)   } # authorize = fail
(2) Using Post-Auth-Type Reject
(2) # Executing group from file /etc/raddb/sites-enabled/default
(2)   Post-Auth-Type REJECT {
(2) attr_filter.access_reject: EXPAND %{User-Name}
(2) attr_filter.access_reject:    --> 9k-radius-test-username
(2) attr_filter.access_reject: Matched entry DEFAULT at line 11
(2)     [attr_filter.access_reject] = updated
(2)   } # Post-Auth-Type REJECT = updated
(2) Delaying response for 1.000000 seconds



[Description: MatthewAlmen]