Hey folks, Has anyone gotten redundancy working when using LDAP to perform authentication and authorization? I've been trying to get this to work, but it appears, to me, that the redundancy is only used for part of the auth process. When looking up the DN for the user who is trying to authenticate, redundancy works. After that though, it appears that only the first module in the redundant list is tried. Then it ultimately fails. The LDAP servers are 3 Windows DCs. authorize { redundant { svr1 svr3 svr2 notfound = return } files } authenticate { Auth-Type LDAP { redundant { # wasn't sure if this was necessary svr1 svr3 svr2 } } } I test by simulating a failure of svr1 using: route add -host <svr1 IP> 127.0.0.1 -blackhole
Svr3 happens to be down for maintenance at the moment Thanks for any help, Jason Log: rad_recv: Access-Request packet from host x.x.x.x:3104, id=14, length=54 User-Name = "username" User-Password = "XXXXX" Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall: entering group redundant for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for usersname radius_xlat: 'XXXXXXXX' radius_xlat: 'XXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXX to XXXXXXXXXXXX rlm_ldap: XXXXXXXXXX bind to XXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr1" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXXXXX' radius_xlat: 'XXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr3 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXX to XXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXx bind to XXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr3" returns fail for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for username radius_xlat: 'XXXXXXXXXXXXXXXxxxxxx' radius_xlat: 'XXXXXXXXXXXXXXXXXXXXX' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr2 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXX to XXXXXXXXXXXXXXXX rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in XXXXXXXXXXXXXXXXXX, with filter (&(XXXXXXXX)(XXXXXXXXXX)) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user username authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "svr2" returns ok for request 0 modcall: group redundant returns ok for request 0 radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXX))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXx rlm_ldap: XXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXX' rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'XXXXXXXXXXXXXXXXXXXXXXXXX' radius_xlat: '(&(objectClass=group)(member=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxx))' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to <svr1 IP>, authentication 0 rlm_ldap: setting TLS mode to 1 rlm_ldap: setting TLS CACert File to /path/to/cacert.pem rlm_ldap: bind as XXXXXXXXXXXXXXXXXXXXX to XXXXXXXXXXXXXXXXXXXXXXXX rlm_ldap: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX bind to XXXXXXXXXXXXXXXXXXXXXXXX failed: Can't contact LDAP server rlm_ldap: (re)connection attempt failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap::ldap_groupcmp: Search returned error users: Matched entry DEFAULT at line 224 modcall[authorize]: module "files" returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type Reject rad_check_password: Auth-Type = Reject, rejecting user auth: Failed to validate the user. Login incorrect: [username] (from client client port 0) Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Sending Access-Reject of id 14 to x.x.x.x:3104 Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 14 with timestamp 42d548f0 Nothing to do. Sleeping until we see a request. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html