Issues with LDAP failover (FreeRad 3.0.22)
James Potter
Jim.Potter at jisc.ac.uk
Mon May 13 11:22:05 UTC 2024
Hi Team,
I'm having issues getting LDAP group membership checking working with multiple LDAP servers. Here's my config:
ldap {
server = "${ldap.2} ${ldap.1}"
# server = "${ldap.1}"
server = "${ldap.3}"
server = "${ldap.4}"
base_dn = 'DC=thing,DC=local'
identity = ${eduroamLDAPAccount.username}
password = ${eduroamLDAPAccount.password}
user {
base_dn = "${..base_dn}"
scope = sub
filter = "(&(objectclass=user)(sAMAccountName=%{Stripped-User-Name}))"
}
group {
base_dn = "${..base_dn}"
filter = "(objectclass=group)"
membership_filter = "(member=%{control:Ldap-UserDn})"
cacheable_name ='yes'
cacheable_dn = 'no'
cache_attribute = 'LDAP-Cached-Membership'
}
options {
# ldap_debug = 0x0028
chase_referrals = yes
rebind = yes
res_timeout = 2
srv_timelimit = 5
net_timeout = 2
}
}
The issue - we have been having network wobbles + FreeRad crashes out if it can't talk to a LDAP server (we previously only had 1 LDAP server listed), so I'd like it to either round robin LDAP servers or fail over smoothly.
All ldap.X server variables are resolvable hostnames (final one is domain, so RR-s round all domain controllers) and the servers work individually (/if I put them at the top of the list).
To emulate a network failure I'm using iptables -I INPUT -s <ldap.1 IP> -j DROP (also tried blocking output). With this in place I see netstat -np | grep 389 shows fleeting connections to other LDAP Servers:
Working/pre iptables:
* tcp 0 91 10.1.18.32:43066 10.1.12.201:389 ESTABLISHED 285161/radiusd
blocked/iptables blocking 10.1.12.201 only:
* tcp 0 109 10.1.18.32:39856 192.168.7.250:389 ESTABLISHED 285161/radiusd
* tcp 0 99 10.1.18.32:43066 10.1.12.201:389 FIN_WAIT1 -
* tcp 0 109 10.1.18.32:44864 172.16.2.124:389 ESTABLISHED 285161/radiusd
* tcp 0 108 10.1.18.32:39868 192.168.7.250:389 ESTABLISHED 285161/radiusd
* tcp 0 0 10.1.18.32:43856 10.1.12.200:389 ESTABLISHED 285161/radiusd
(but auths fail/blocked, connections drop, freerad crashes moments later)
radiusd -X -C shows:
ldap {
server = "uks-adds-02.thing.local uks-adds-01.thing.local"
identity = edu.check at thing.local<mailto:edu.check at thing.local>
password = <<< secret >>>
sasl {
(So only first server listed?)
Choice bits from log file:
At startup:
Mon May 13 11:59:50 2024 : Warning: - server = 'uks-adds-02.thing.local uks-adds-01.thing.local'
Mon May 13 11:59:50 2024 : Warning: + server = 'uks-adds-02.thing.local'
Mon May 13 11:59:50 2024 : Warning: + server = 'uks-adds-01.thing.local'
(one way or another it knows about multiple servers?)
At failure: Mon May 13 11:59:45 2024 :
Mon May 13 11:59:39 2024 : Error: (379) Ignoring duplicate packet from client bra-wlc-p01 port 63991 - ID: 15 due to unfinished request in component authenticate module eap_peap (guess this is clients getting impatient?)
Error: rlm_ldap (ldap): Bind with edu.check at thing.local<mailto:edu.check at thing.local> to ldap://uks-adds-02.thing.local:389 ldap://uks-adds-01.thing.local:389 ldap://ukw-adds-01.thing.local:389 ldap://thing.local:389 ldap://uks-adds-01.thing.local:389 failed: Timed out while waiting for server to respond (but I know it can talk to all but the first LDAP server)
Hope that explains it all adequately... Any ideas what I'm missing here?
Thanks,
Jim Potter
Jisc
More information about the Freeradius-Users
mailing list