Issues with LDAP failover (FreeRad 3.0.22)

Mon May 13 12:54:03 UTC 2024

On May 13, 2024, at 7:22 AM, James Potter via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
> 
> Hi Team,
> 
> I'm having issues getting LDAP group membership checking working with multiple LDAP servers. Here's my config:

  http://wiki.freeradius.org/list-help

  We don't need to see the configuration files.  It very rarely helps.

> Choice bits from log file:
> At startup:
> Mon May 13 11:59:50 2024 : Warning: - server = 'uks-adds-02.thing.local uks-adds-01.thing.local'

  Reading the rest of the warning messages should get you the following:

Listing multiple LDAP servers in the 'server' configuration item is deprecated and will be removed in a future release.  Use multiple 'server' configuration items instead

  It's good to read all of the warning messages.

> At failure: Mon May 13 11:59:45 2024 :
> Mon May 13 11:59:39 2024 : Error: (379) Ignoring duplicate packet from client bra-wlc-p01 port 63991 - ID: 15 due to unfinished request in component authenticate module eap_peap      (guess this is clients getting impatient?)
> Error: rlm_ldap (ldap): Bind with edu.check at thing.local<mailto:edu.check at thing.local> to ldap://uks-adds-02.thing.local:389 ldap://uks-adds-01.thing.local:389 ldap://ukw-adds-01.thing.local:389 ldap://thing.local:389 ldap://uks-adds-01.thing.local:389 failed: Timed out while waiting for server to respond    (but I know it can talk to all but the first LDAP server)
> 
> Hope that explains it all adequately... Any ideas what I'm missing here?

  The LDAP server is down.  Fail-over between servers is handled by libldap, and isn't really under the control of FreeRADIUS.

  If an LDAP server is critical for the operation of FreeRADIUS, it's best to make sure that the LDAP server stays up.  Adding multiple fail-over LDAP servers is a hack which will paper over any issues, but won't correct them.

  i.e. It's for extreme circumstances where many things are going wrong.  You shouldn't depend on it for daily operation.

  Why?  Fail-over takes time.  If the LDAP servers randomly go up and down during the day, there will be many periods where FreeRADIUS will be unable to contact the LDAP servers for many seconds.  It will take time to determine that the LDAP server isn't just slow, but it's down.  During that time, many many users will not get authenticated.

  Fail-over is for the case where the main LDAP server is down accidentally, and rarely.  Since the main server is down, most people aren't getting online.  So *anyone* getting authenticated is better than nothing,

  It is not possible to fix broken networks by adding more fail-over configuration.  The correct solution is to make sure that your network doesn't break.

  Alan DeKok.