ldap redundant-load-balance sanity check and questions

Alan DeKok aland at deployingradius.com
Wed Oct 12 15:36:00 UTC 2022 

On Oct 12, 2022, at 10:11 AM, Brantley Padgett via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> I tried going that route but wasn't able to get the groups to return for the post-auth. Trying again just now, I added in the ldap_server_info common file:

  I recommend a careful reading of the debug output/

>   cacheable_name = 'yes'
>   cache_attribute = 'LDAP-test'
> 
> then in default I changed the first if test to be
> 
>   if (&LDAP-test == "group1") {

  Just the name, which means that by default it's looking in the "request" list.

> Running freeradius -Xx I see it adding the groups to "LDAP-test":
> 
> Wed Oct 12 08:34:26 2022 : Debug: (0) server2: Adding cacheable group object memberships
> Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "group1"
> Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "somegroup2"
> Wed Oct 12 08:34:26 2022 : Debug: (0) server2: &control:LDAP-test += "somegroup"

  These are being added to the "control" list.

  See "man unlang"

> [...]
> Wed Oct 12 08:34:26 2022 : Debug: (0) server2: Processing user attributes
> 
> But it errors trying to return the cached name, or at least that's how I understood it:

  No, it errors *finding* the cached name.  Details matter.

> Wed Oct 12 08:34:26 2022 : Debug: (0) post-auth {
> Wed Oct 12 08:34:26 2022 : Debug: (0) if (&LDAP-test == "group1") {
> Wed Oct 12 08:34:26 2022 : ERROR: (0) Failed retrieving values required to evaluate condition
> 
> I tried to follow the suggestions in this https://stackoverflow.com/questions/58187426/freeradius-problem-with-redundant-load-balance-ldap-group answer, but wasn't sure where the update call needed to go.

  

> I've tried putting in default, this for ldap in the authorize stanza:
>   redundant_ldap
>   if ((ok || updated) && User-Password && !control:Auth-Type) {
>   update control {
>   &Auth-Type := LDAP
>   }
>   update session-state {
>   &LDAP-test += &LDAP-test[*]

  Again

	&control:LDAP-Test

versus

	&LDAP-Test.

  They're different.  You can't just assume that the server does what you want, even when you tell it to do different things.

  Alan eEKok.

More information about the Freeradius-Users mailing list