Hi! I commented out the deny rule and it exhibits the same behavior. I am at a loss on this on.
2008/10/19 <[EMAIL PROTECTED]> > Same huntgroup - different ldaps; you can't have DEFAULT lines rejecting > users then. Comment them out and see if it works. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 19/10/2008, "Elizabeth Steinke" <[EMAIL PROTECTED]> piše: > > >Greetings! > >I'm having an odd problem trying to implement load balancing/redundancy. I > >have added the following lines to my radiusd.conf > > > >authorize {... > ># > ># We want redundant ldap lookups > >## > >redundant-load-balance { > > ldap1 > > ldap2 > >} > >## > ># end redundancy > >## > > } > > > >modules (... > > > > ldap ldap1 { > > } > > > > ldap ldap2 { > > } > > > > } > > > > > >Scenarios: > > > >This occurs using freeradius 1.1.7 (built from source) on a centos 5 box. > >If they both are specified correctly everything appears to work ok . > > > >When I purposely break ldap1 it works great and uses ldap2 for the LDAP > >lookup. > > > >When I break ldap2 and correct the IP address ldap1 is using to do lookups > I > >get an access-reject packet back. > > > >Here is the snippet of the log (I am posting it for brevity, I will be > more > >than happy to post all of radiusd -X) > > > >---log bits for when it rejects the attempt-- > > > >lm_ldap: ...some ldap server in ldap fairy land... failed: Can't contact > >LDAP server > >rlm_ldap: (re)connection attempt failed > >rlm_ldap::ldap_groupcmp: search failed > >rlm_ldap: ldap_release_conn: Release Id: 0 > > users: Matched entry DEFAULT at line 69 > > > >here is rule 68-69: > > > >DEFAULT Huntgroup-Name =="some huntgroup", Auth-Type = ntlm_auth_cleartext > > Fall-Through = 1 > >DEFAULT Huntgroup-Name == "some huntgroup",Ldap-Group != "someldapgroup", > >Auth-Type := Reject > > > >I can then see rlm_ldap doing the lookup successfully on ldap1 > > > >lm_ldap: ldap_get_conn: Checking Id: 0 > >rlm_ldap: ldap_get_conn: Got Id: 0 > >rlm_ldap: attempting LDAP reconnection > >rlm_ldap: (re)connect to ldap1:3268, authentication 0 > >rlm_ldap: waiting for bind result ... > >rlm_ldap: Bind was successful > >rlm_ldap: performing search in dc=..... > >rlm_ldap: looking for check items in directory... > >rlm_ldap: Adding memberOf as Ldap-Group == "..." > > > > > >What I think is happening is since the LDAP lookup failed the user is > indeed > >not a user of the group (doesn't exist etc..) so it matches on the > failure, > > since its first match it doesn't matter that is matches on the second > >lookup. It still gives me a failure. Is their a way keep it from rejecting > >the attempt if ldap2 is down? > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html