ldap redundant-load-balance sanity check and questions

Brantley Padgett brantleyp1 at yahoo.com
Wed Oct 12 14:11:33 UTC 2022


> cache_attribute = LDAP-Group

I tried going that route but wasn't able to get the groups to return for the post-auth. Trying again just now, I added in the ldap_server_info common file:

  cacheable_name = 'yes'
  cache_attribute = 'LDAP-test'

then in default I changed the first if test to be

  if (&LDAP-test == "group1") {
  #if (server1-Ldap-Group == "group1") || (server2-Ldap-Group == "group1") || (server3-Ldap-Group == "group1") {

Running freeradius -Xx I see it adding the groups to "LDAP-test":

Wed Oct 12 08:34:26 2022 : Debug: (0) server2: Adding cacheable group object memberships
Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "group1"
Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "somegroup2"
Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "somegroup"
[...]
Wed Oct 12 08:34:26 2022 : Debug: (0) server2: Processing user attributes

But it errors trying to return the cached name, or at least that's how I understood it:

Wed Oct 12 08:34:26 2022 : Debug: (0) post-auth {
Wed Oct 12 08:34:26 2022 : Debug: (0) if (&LDAP-test == "group1") {
Wed Oct 12 08:34:26 2022 : ERROR: (0) Failed retrieving values required to evaluate condition

I tried to follow the suggestions in this https://stackoverflow.com/questions/58187426/freeradius-problem-with-redundant-load-balance-ldap-group answer, but wasn't sure where the update call needed to go.

I've tried putting in default, this for ldap in the authorize stanza:
  redundant_ldap
  if ((ok || updated) && User-Password && !control:Auth-Type) {
  update control {
  &Auth-Type := LDAP
  }
  update session-state {
  &LDAP-test += &LDAP-test[*]
  }
  }

then under post auth:

  update {
  #&reply: += &session-state:
  &LDAP-test += &session-state:LDAP-test[*]
  }

If I have just &session-state I see in the debug

Wed Oct 12 08:58:26 2022 : Debug: (0) post-auth {
Wed Oct 12 08:58:26 2022 : Debug: (0) update {
Wed Oct 12 08:58:26 2022 : Debug: (0) No attributes updated for RHS &session-state:LDAP-test[*]
Wed Oct 12 08:58:26 2022 : Debug: (0) } # update = noop

which made me think I needed to add the name of the attribute, but then I get

Wed Oct 12 09:04:24 2022 : Debug: (0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default
Wed Oct 12 09:04:24 2022 : Debug: (0) post-auth {
Wed Oct 12 09:04:24 2022 : Debug: (0) update {
Wed Oct 12 09:04:24 2022 : Debug: (0) No attributes updated for RHS &session-state:LDAP-test[*]
Wed Oct 12 09:04:24 2022 : Debug: (0) } # update = noop

but either way still get

Wed Oct 12 09:04:24 2022 : Debug: (0) if (&LDAP-test == "group1") {
Wed Oct 12 09:04:24 2022 : ERROR: (0) Failed retrieving values required to evaluate condition


I'm sure Allan's answer and yours are the right way, I'm just not clear how to get there. 


Brantley Padgett 

The question is not how far. The question is, 
do you possess the constitution, 
the depth of faith, to go as far as is needed? 
            -Boondock Saints






On Wednesday, October 12, 2022, 04:23:15 AM CDT, Nick Porter <nick at portercomputing.co.uk> wrote: 





On 11/10/2022 23:47, Alan DeKok wrote:
> On Oct 11, 2022, at 4:55 PM, Brantley Padgett via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> Question 2 - is there a better way of handling multiple 
> server[n]-Ldap-Group responses?
>    Unfortunately, no.  We're looking into fixing that for v4.

V3.2.x does allow you to set cache_attribue in the ldap module 

configuration.


This is the attribute which cached group membership will be stored in 
when the ldap module is called in authorize (presuming appropriate 
settings are in place to cache group membership)

If all the ldap instances are representing the same data, as would be 
normal in a redundant failover scenario, then it would be valid to set 
all instances to use the same attribute in which to cache the group 
membership e.g.

cache_attribute = LDAP-Group

Then, regardless of which ldap instance retrieves the group membership, 
it will be cached in the same attribute.

> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 
Nick Porter


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list