Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
Hi Heikki, Am 12.04.2011 14:09, schrieb Heikki Vatiainen: > On 04/11/2011 12:26 PM, Karl Gaissmaier wrote: > this is strange as Radiator-4.x has explicit support for reconnecting to ldap servers after an idle timeout. >>> >>> Indeed. The function that has "ldap search for ..." error message does >>> LDAP reconnect as the first thing. Reconnect should notice the closed >>> connection and then connect again. >> >> but not with HoldSeverConnection, or? I don't see a reconnect, >> not under Trace 4 and even not on the wire with wireshark. > > With HoldServerConnection, yes. > > When HoldServerConnection is defined and there should be an active ldap > handle, the code checks if the socket is still ok or it the socket > indicates that there is something available. If this something is > LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a > reconnect. really strange. I didn't see this. After the LDAP upgrade I'll come back to this problem and keep you informed. Best Regards Charly -- Karl Gaissmaier Kommunikations und Informationszentrum kiz der Universität Ulm Abteilung Infrastruktur SG Netzwerk und Telekommunikation 89069 Ulm Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
On 04/11/2011 12:26 PM, Karl Gaissmaier wrote: >>> this is strange as Radiator-4.x has explicit support for reconnecting >>> to ldap servers after an idle timeout. >> >> Indeed. The function that has "ldap search for ..." error message does >> LDAP reconnect as the first thing. Reconnect should notice the closed >> connection and then connect again. > > but not with HoldSeverConnection, or? I don't see a reconnect, > not under Trace 4 and even not on the wire with wireshark. With HoldServerConnection, yes. When HoldServerConnection is defined and there should be an active ldap handle, the code checks if the socket is still ok or it the socket indicates that there is something available. If this something is LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a reconnect. Before this check, the the code checks if the socket is still connected. This should take care of e.g., timeouts caused by firewalls. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
Hello, thanks for your reply! Am 06.04.2011 23:44, schrieb Heikki Vatiainen: > On 04/06/2011 03:39 PM, Christian Kratzer wrote: > >>> Wed Apr 6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) >>> failed with error LDAP_SERVER_DOWN. >>> Wed Apr 6 00:32:34 2011: ERR: Disconnecting from LDAP server (server >>> foo.uni-ulm.de:636). >>> Wed Apr 6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database >>> access error >> >> this is strange as Radiator-4.x has explicit support for reconnecting >> to ldap servers after an idle timeout. > > Indeed. The function that has "ldap search for ..." error message does > LDAP reconnect as the first thing. Reconnect should notice the closed > connection and then connect again. but not with HoldSeverConnection, or? I don't see a reconnect, not under Trace 4 and even not on the wire with wireshark. > > It might be a good idea to upgrade since the newer versions might do > better job with sending notices about the disonnect. The LDAP Server isn't under my management domain. But I'll suggest an upgrade. > > If upgrade is not possible, then commenting out HoldServerConnection > will probably help too. done, yep this helps but it's not the best solution under heavy load. .. >> >> Perhaps as you only have one ldap server to forward to you should set >> FailureBackoffTime to 0 to allow radiator to immediatly to reconnect. This didn't help. Best Regards Charly -- Karl Gaissmaier Kommunikations und Informationszentrum kiz der Universität Ulm Abteilung Infrastruktur SG Netzwerk und Telekommunikation 89069 Ulm Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
On 04/06/2011 03:39 PM, Christian Kratzer wrote: >> Wed Apr 6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed >> with error LDAP_SERVER_DOWN. >> Wed Apr 6 00:32:34 2011: ERR: Disconnecting from LDAP server (server >> foo.uni-ulm.de:636). >> Wed Apr 6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database >> access error > > this is strange as Radiator-4.x has explicit support for reconnecting > to ldap servers after an idle timeout. Indeed. The function that has "ldap search for ..." error message does LDAP reconnect as the first thing. Reconnect should notice the closed connection and then connect again. It might be a good idea to upgrade since the newer versions might do better job with sending notices about the disonnect. If upgrade is not possible, then commenting out HoldServerConnection will probably help too. >> See the config part below: >> >> >> PacketTrace >> HoldServerConnection >> NoDefault >> >> Hostfoo.uni-ulm.de >> Version 3 >> FailureBackoffTime 3 >> >> UseSSL >> SSLVerify require >> SSLCAFile %D/certificates/ca-bundle.crt >> >> AuthDN cn=secret >> AuthPasswordmore-secret >> >> BaseDN ou=bar,dc=uni-ulm,dc=de >> Scope one >> >> # username oder e-mail >> SearchFilter(|(mail=%1)(uid=%1)) >> PasswordAttruserPassword >> > > Perhaps as you only have one ldap server to forward to you should set > FailureBackoffTime to 0 to allow radiator to immediatly to reconnect. > > Casual reading of the source code makes me think this might be the problem. > > >> HINTS: >> >> I didn't see this problem with RADIATOR 3.11. >> Sigh, I can't go back to 3.11 to verify it definitely. >> Sigh, I know, it's a big step from 3.11 to 4.7. >> >> The LDAP server didn't change during the RADIATOR upgrade. >> We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest. > > As a side note and nothing to do with your current problem. > > Latest stable is openldap-2.4.23 and latest released is 2.4.25. You > should consider updating for anything but a trivial directory setup. > There have been lots of fixes since openldap 2.3. > > Greetings > Christian > -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
Hi, On Wed, 6 Apr 2011, Karl Gaissmaier wrote: > Hi RADIATOR team, > > I've got a problem with Version 4.7 and AuthBy LDAP2. The LDAP server > terminates > the connection after 10min of client idle as configured in slapd.conf. > > Seems that the RADIATOR doesn't recognize this, and the first ACCESS-REQUEST > after this termination gets the following error: > > Wed Apr 6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed > with error LDAP_SERVER_DOWN. > Wed Apr 6 00:32:34 2011: ERR: Disconnecting from LDAP server (server > foo.uni-ulm.de:636). > Wed Apr 6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database > access error this is strange as Radiator-4.x has explicit support for reconnecting to ldap servers after an idle timeout. > See the config part below: > > > PacketTrace > HoldServerConnection > NoDefault > > Hostfoo.uni-ulm.de > Version 3 > FailureBackoffTime 3 > > UseSSL > SSLVerify require > SSLCAFile %D/certificates/ca-bundle.crt > > AuthDN cn=secret > AuthPasswordmore-secret > > BaseDN ou=bar,dc=uni-ulm,dc=de > Scope one > > # username oder e-mail > SearchFilter(|(mail=%1)(uid=%1)) > PasswordAttruserPassword > Perhaps as you only have one ldap server to forward to you should set FailureBackoffTime to 0 to allow radiator to immediatly to reconnect. Casual reading of the source code makes me think this might be the problem. > HINTS: > > I didn't see this problem with RADIATOR 3.11. > Sigh, I can't go back to 3.11 to verify it definitely. > Sigh, I know, it's a big step from 3.11 to 4.7. > > The LDAP server didn't change during the RADIATOR upgrade. > We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest. As a side note and nothing to do with your current problem. Latest stable is openldap-2.4.23 and latest released is 2.4.25. You should consider updating for anything but a trivial directory setup. There have been lots of fixes since openldap 2.3. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator