[RADIATOR] ContinueWhileIgnore in AuthByGroup with LDAP
Bob Shafer
bshafer at du.edu
Fri Oct 2 03:54:28 CDT 2009
I'm pretty sure, at one time, this acted as I wished:
<AuthBy GROUP>
AuthByPolicy ContinueWhileIgnore
AuthBy LDAP-AUTH
AuthBy BU-LDAP-AUTH
</AuthBy>
The intent being to try a primary LDAP server as configured in AuthBy
LDAP-AUTH, and if that server was unavailable, to try the back up server
as configured in AuthBy BU-LDAP-AUTH.
At some point, and I'm not sure when, because I did not test this after
every upgrade, it stopped working.
It appears that, when the primary fails, instead of returning IGNORE,
radiator is returning REJECT:
Fri Oct 2 02:18:40 2009: ERR: Could not open LDAP connection to
ldap.du.edu:636. Backing off for 600 seconds.
Fri Oct 2 02:18:40 2009: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no
such user xyzzy
Fri Oct 2 02:18:40 2009: DEBUG: AuthBy GROUP result: REJECT, EAP MSCHAP
V2 failed: no such user xyzzy
Fri Oct 2 02:18:40 2009: INFO: Access rejected for 872120688: EAP
MSCHAP V2 failed: no such user xyzzy
If I switch from ContinueWhileIgnore to ContinueUntilAccept, fail over
works. But that means that, when the user enters their credentials
incorrectly, that radiator will, unnecessarily, test them against the
backup server.
The server is running 4.4 with patches that were available as of last
Friday.
If you need to see the entire configuration file and/or debug output let
me know and I will send it under separate cover.
Bob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3590 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.open.com.au/pipermail/radiator/attachments/20091002/7a2d9552/attachment.bin
More information about the radiator
mailing list