Zawacki Jason D Ctr AFRL/IFOS <[EMAIL PROTECTED]> wrote: > I've been trying to get this to work, but it appears, to me, that the > redundancy is only used for part of the auth process.
What "auth" process? Authorize or authenticate? > When looking up the > DN for the user who is trying to authenticate, redundancy works. During the "authorize" stage. > After that > though, it appears that only the first module in the redundant list is > tried. Which redundant list? You listed two. > authenticate { > Auth-Type LDAP { > redundant { # wasn't sure if this was necessary > svr1 If you want redundancy for authentication, you can list that. > I test by simulating a failure of svr1 using: Ok. The debug log shows: > modcall[authorize]: module "svr1" returns fail for request 0 ... > modcall[authorize]: module "svr3" returns fail for request 0 ... > modcall[authorize]: module "svr2" returns ok for request 0 So the redundancy in the "authorize" section works. > rlm_ldap::ldap_groupcmp: Search returned error You're using the LDAP-Group attribute, which is set to use svr1, which is down. There's currently no fail-over for the LDAP-Group attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html