"redundant" block works in "default" virtual server, but does not work in "inner-tunnel".

[Alan DeKok]

On Mar 3, 2022, at 1:39 AM, Rahman Duran <rahman.duran at erzurum.edu.tr> wrote:
> Long story short, the following configuration works in default virtual
> server but it does not in inner tunnel. In inner-tunnel, if the first ldap
> section could not find user, then it does not go on and check second ldap;

  The "redundant" key word doesn't know (or care) if it's running in "default" versus "inner-tunnel"

  If you want us to figure out why it's behaving differently in the two cases, then it would help to post the debug output for both cases.

> authorize {

  We don't need to see the configuration files.  All of the documentation makes this very clear.
> 
> (633)             redundant {
> rlm_ldap (ldap_personel): Closing connection (10): Hit idle_timeout, was
> idle for 53546 seconds
> rlm_ldap (ldap_personel): Closing connection (12): Hit idle_timeout, was
> idle for 53529 seconds
> rlm_ldap (ldap_personel): Closing connection (11): Hit idle_timeout, was
> idle for 53522 seconds
> rlm_ldap (ldap_personel): You probably need to lower "min"
> rlm_ldap (ldap_personel): Closing connection (13): Hit idle_timeout, was
> idle for 53521 seconds

  Why do you have so many connections idle for ~10 hours?

> rlm_ldap (ldap_personel): You probably need to lower "min"

 If the connections aren't needed, perhaps pay attention to this message, and set "min=0".

> Any idea why "redundant" behaves different in the inner-tunnel or what am I
> missing?

  It's behaving differently because the inputs to the LDAP module are different.

  But until you post the *full* debug output, it's impossible for us to say what those differences are.

  Alan DeKok.