(RADIATOR) LDAP not timing out?

Dave Kitabjian dave at netcarrier.com
Tue Jan 11 09:42:27 CST 2005 

Thanks, Mike, for the pointer.

Yes, you're right. I didn't see it because it was nearly 10 minutes
earlier in the (rather busy) log:

Where Radiator got it's first LDAP error:

Sat Jan  8 18:54:42 2005: DEBUG: Handling with Radius::AuthLDAP2:
LDAP_AUTH
Sat Jan  8 18:54:42 2005: INFO: Connecting to localhost, port 389
Sat Jan  8 18:54:42 2005: INFO: Attempting to bind with dc=..., (server
localhost:389)
Sat Jan  8 18:54:42 2005: ERR: ldap search failed with error
LDAP_OPERATIONS_ERROR.
Sat Jan  8 18:54:42 2005: ERR: Disconnecting from LDAP server (server
localhost:389).

The next Access-Request:

Sat Jan  8 18:54:43 2005: DEBUG: Handling with Radius::AuthLDAP2:
LDAP_AUTH
Sat Jan  8 18:54:43 2005: INFO: Connecting to localhost, port 389
Sat Jan  8 18:54:43 2005: ERR: Could not open LDAP connection to
localhost, port 389. Backing off for 600 seconds.

And then the next request:

Sat Jan  8 18:54:44 2005: DEBUG: Handling with Radius::AuthLDAP2:
LDAP_AUTH
(ignored)

Then, 10 minutes (600 seconds) later:

Sat Jan  8 19:04:43 2005: DEBUG: Handling with Radius::AuthLDAP2:
LDAP_AUTH
Sat Jan  8 19:04:43 2005: INFO: Connecting to localhost, port 389
Sat Jan  8 19:04:43 2005: ERR: Could not open LDAP connection to
localhost, port 389. Backing off for 600 seconds.

Incidentally, here's the OpenLDAP clip that shows why it wasn't
responding:

OPEN LDAP LOG
--------------
Jan  8 18:54:42 lb2 slapd[228]: conn=9408993 fd=12 connection from
localhost  (127.0.0.1) accepted. 
Jan  8 18:54:42 lb2 slapd[228]: conn=9408993 op=0 BIND dn="DC=..."
method=128 
Jan  8 18:54:42 lb2 slapd[228]: conn=9408993 op=0 RESULT err=0 tag=97
nentries=0 
Jan  8 18:54:42 lb2 slapd[228]: conn=9408993 op=1 SRCH base="DC=..."
scope=1 filter="(uid=MXX)" 
Jan  8 18:54:42 lb2 slapd[228]: strdup(cn=mxx...) failed 
Jan  8 21:03:55 lb2 slapd[67790]: slapd starting

I don't know what caused strdup() to fail in OpenLDAP, but it did. 

Anyway, I guess Radiator behaved as it should by ignoring the requests.
However, I would suggest that it might be useful (appropriate?) for
Radiator trace 4 to indicate that it is ignoring a request. Thoughts?

Thanks for the help!

Dave


> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Monday, January 10, 2005 6:45 PM
> To: Dave Kitabjian
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) LDAP not timing out?
> 
> Hello Dave,
> 
> Does you log contain any lines like:
> "Could not open LDAP connection to ...."
> 
> or
> "Could not bind connection with ....."
> 
> Cheers.
> 
> 
> On Tuesday 11 January 2005 08:58, Dave Kitabjian wrote:
> > Hi, folks.
> >
> > Authentication failed this weekend.
> >
> > Looking at the logs, the Access-Requests were all getting to this
point:
> >
> > Sun Jan  9 08:46:32 2005: DEBUG: Handling with Radius::AuthLDAP2:
> > LDAP_AUTH
> >
> > and that's it. Normally they continue with a line like:
> >
> > Sun Jan  9 08:46:32 2005: INFO: Connecting to localhost, port 389
> >
> > and so on. I thought that I'd at least see timeouts of some sort
later
> > in the logfile, but there are none at all. It's as though the
request
> > just blackholed, and Radiator forgot about it.
> >
> > The Unix admin states that slapd (OpenLDAP) was not running. That
> > explains why LDAP wasn't working. But I don't understand by Radiator
> > didn't timeout?
> >
> > I'm not sure how it could be related, but the problem was
exasperated by
> > the fact that the NASes didn't fail over to the backup Radiator box.
> >
> > Any ideas are welcome!
> >
> > Dave
> 
> --
> Mike McCauley                               mikem at open.com.au
> Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++,
WWW
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
TLS,
> TTLS, PEAP etc on Unix, Windows, MacOS etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list