Hi all,
I have been running FreeRadius is a redundant failover with LDAP for
about two years now. This weekend, my primary LDAP server hiccuped so my
failover config should have picked up the slack. This did not happen. I
could swear that I tested this after setup, but maybe not as it did not
work. Do I have a config error or is there something that I am missing
here? I did shoot an 'ldapsearch' at my secondary LDAP server just to
ensure that it is indeed servicing the LDAP queries. Below are the
relevant portions of my radiusd.conf:
-----< snip >-----
# Lightweight Directory Access Protocol (LDAP)
#
# This module definition allows you to use LDAP for
# authorization and authentication (Auth-Type := LDAP)
#
# See doc/rlm_ldap for description of configuration options
# and sample authorize{} and authenticate{} blocks
ldap ldap1 {
server = "10.0.4.24"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=X"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(uid=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
timeout = 5
timelimit = 4
net_timeout = 2
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
ldap ldap2 {
server = "10.0.4.106"
# identity = "cn=admin,o=My Org,c=UA"
# password = mypass
basedn = "o=X"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
#filter = "(uid=%u)"
# set this to 'yes' to use TLS encrypted connections
# to the LDAP database.
start_tls = no
# default_profile = "cn=radprofile,ou=dialup,o=My Org,c=UA"
# profile_attribute = "radiusProfileDn"
#access_group = "cn=clients,ou=dialup,o=My Org,c=UA"
#access_attr = "dialupAccess"
# Mapping of RADIUS dictionary attributes to LDAP
# directory attributes.
dictionary_mapping = ${raddbdir}/ldap.attrmap
# ldap_cache_timeout = 120
# ldap_cache_size = 0
ldap_connections_number = 5
# password_header = "{clear}"
# password_attribute = userPassword
# groupname_attribute = cn
# groupmembership_filter =
"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames$
timeout = 5
timelimit = 4
net_timeout = 2
# compare_check_items = yes
# access_attr_used_for_allow = yes
}
<<<< missing lines..... >>>>
authorize {
#
# The preprocess module takes care of sanitizing some bizarre
# attributes in the request, and turning them into attributes
# which are more standard.
#
# It takes care of processing the 'raddb/hints' and the
# 'raddb/huntgroups' files.
#
# It also adds a Client-IP-Address attribute to the request.
#
preprocess
#
# The chap module will set 'Auth-Type := CHAP' if we are
# handling a CHAP request and Auth-Type has not already been set
#
# chap
# counter
# attr_filter
# eap
suffix
files
# etc_smbpasswd
#
# Uncomment 'mschap' if the users are logging in with an
# MS-CHAP-Challenge attribute for authentication. The mschap
# module will find the MS-CHAP-Challenge attribute, and add
# 'Auth-Type := MS-CHAP' to the request, which makes it use
# the mschap module for authentication.
#
# mschap
# The ldap module will set Auth-Type to LDAP if it has not already been set
# ldap
redundant {
ldap1
ldap2
}
}
authenticate {
# pam
unix
# Uncomment it if you want to use ldap for authentication
authtype ldap {
redundant {
ldap1
ldap2
}
}
# mschap
# eap
-----< snip >-----
Here are some of the entries from the log file, for what they are worth...
-----< snip >-----
Mon Sep 1 19:54:26 2003 : Error: rlm_ldap: ldap_search() failed: Timed out
while waiting for server to respond. Please increase the timeout.
Mon Sep 1 20:03:36 2003 : Error: rlm_ldap: ldap_search() failed: Unknown
error
Mon Sep 1 20:03:45 2003 : Error: rlm_ldap: ldap_search() failed: Timed out
while waiting for server to respond. Please increase the timeout.
Mon Sep 1 20:03:47 2003 : Error: rlm_ldap: ldap_search() failed: Unknown
error
Mon Sep 1 20:11:03 2003 : Error: rlm_ldap: ldap_search() failed: LDAP
connection lost.
Mon Sep 1 20:11:03 2003 : Info: rlm_ldap: Attempting reconnect
Mon Sep 1 20:11:03 2003 : Error: Discarding new request from client
AP02:192 - ID: 210 due to live request 26485
Mon Sep 1 20:11:05 2003 : Error: rlm_ldap: bind to 10.0.4.24:389 failed:
Can't contact LDAP server
-----< snip >-----
Any ideas on what may be the problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html