Re: (RADIATOR) AuthByLDAP doesn't IGNORE on LDAP server failure

[Wilbert de Graaf]

Joost made a suggestion earlier to add support for a backup LDAP server in order to get high availability. I think it would be a very good feature to have the 'host' specification in the <AuthBy LDAP> clause to accept a string like the ldapsdk call ldapopen(). It would look much like:   <AuthBy LDAP>     ...     Host        ldap1.domain.com:389 ldap2.domain.com:389 ldap3.domain.com:389     ... </AuthBy>   Would that be difficult to add ?   - Wilbert   -----Original Message----- From: Mike McCauley <[EMAIL PROTECTED]> To: Ingvar Berg (ERA) <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: maandag 12 juli 1999 10:29 Subject: Re: (RADIATOR) AuthByLDAP doesn't IGNORE on LDAP server failure Hi Ingvar, thanks for reporting this. In the forthcoming new release of Radiator AuthLDAP and other similar authenticators will IGNORE if there is a problem contacting the database, so you will be able to distinguish between "database failure" and "no such user" fall through to a fallback database if need be. The new release will be out in a few days. Hope that helps. Cheers. On Apr 29,  1:33pm, Ingvar Berg (ERA) wrote: > Subject: RE: (RADIATOR) AuthByLDAP doesn't IGNORE on LDAP server failure > -----Original Message----- > From: Joost Stegeman [mailto:[EMAIL PROTECTED]] > > Hi all, > > To accomodate high availability, we generate a backup dbm file from the LDAP > data every night so that in case of an LDAP server failure, Radiator will > fall > back to authenticating from this file with an ContinueWhileIgnore clause. > > Now it seems that, unlike the AuthBySQL module, AuthByLDAP doesn't return > IGNORE when the remote server is unreacheable. Instead it returns REJECT. Is > this for a good reason? The 'SQL' way seems logical to me, it greatly > simplifies backup authentication procedures. > > We now use ContinueWhileReject, but some of our users have already > complained > about their old password being valid after they changed it. (The new one is > valid too of course and after 0400 the backup file is regenerated so > everything > is in sync) I would really like the fall back possibility as it reduces the > risk of authentication breakdown, and it also simplifies maintanance on the > LDAP server. > > Mike, could you change this for the next release? > Does anyone have other thoughts on the matter? > > [IB] Another thought is that it must be possible to configure Radiator to > use a backup LDAP server, which would require the same fix, I guess. > > /Ingvar > Ericsson Radio Systems AB > Center for Wireless Internet Integration > P.O. Box 1885, Teknikringen 8, S-581 17  Linköping, Sweden > Phone +46 13 32 22 87 > Mobile +46 70 321 3395 > Fax     +46 70 617 3395 > mailto: [EMAIL PROTECTED] > > > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. >-- End of excerpt from Ingvar Berg (ERA) -- Mike McCauley                               [EMAIL PROTECTED] Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia   http://www.open.com.au Phone +61 3 9598-0985                       Fax   +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody = Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.