Daniel Oakes daniel at
Wed Apr 8 22:31:33 CEST 2020

Yeah – I agree – I don’t want to go down a rabbit hole.

What I’m getting is this from the ldap server, which thanks to typically awful documentation is giving me this (from freeradius logs)

Mon Apr  6 17:01:03 2020 : Info: rlm_ldap (ldap): Opening additional connection (4443), 1 of 1 pending slots used
Mon Apr  6 17:01:03 2020 : Error: rlm_ldap (ldap): Bind was not permitted: Server was unwilling to perform
Mon Apr  6 17:01:03 2020 : Error: rlm_ldap (ldap): Opening connection failed (4443)

So that’s not a freeradius fault, but I’m thinking it’s the best place to deal with it.  Ideally I’d like to try the other ldap server should it be returning that.

Recommended approach?


From: Freeradius-Users < at>
Date: Wednesday, 8 April 2020 at 2:29 AM
To: FreeRadius users mailing list <freeradius-users at>
Subject: Re: Redundant-load-balance
On Apr 6, 2020, at 10:36 PM, Daniel Oakes <daniel at> wrote:
> As per subject – trying to setup redundant-load-balance (or even redundant – don’t care as long as it works).
> Line 157 was ‘ldap’

  And you don't have an "ldap" module.  So the server has no idea what to do with a bare "ldap" thing in the configuration.

> So just wanting some redundancy in the ldap module (as I’m finding freeipa is being arse sometimes and failing to respond, so I want to go to other one of the pair).
> I’m going down a rabbit hole in trying to edit stanzas without understanding the implications.

  That won't end well...

> I ended up in a point where it got further, but now I’m not getting an expansion of the ldap group:
> elsif ("%{control:LDAP-Group[*]}" =~ /operations/) { etc

  For various magic reasons, you can't do expansion on LDAP groups.  The LDAP-Group attribute runs an LDAP group query.  The LDAP-Group attribute generally does not contain all of the group information from LDAP.

  Alan DeKok.

List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list