[RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

Christian Kratzer ck-lists at cksoft.de
Wed Apr 6 07:39:59 CDT 2011 

Hi,

On Wed, 6 Apr 2011, Karl Gaissmaier wrote:

> Hi RADIATOR team,
>
> I've got a problem with Version 4.7 and AuthBy LDAP2. The LDAP server terminates
> the connection after 10min of client idle as configured in slapd.conf.
>
> Seems that the RADIATOR doesn't recognize this, and the first ACCESS-REQUEST
> after this termination gets the following error:
>
> Wed Apr  6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed with error LDAP_SERVER_DOWN.
> Wed Apr  6 00:32:34 2011: ERR: Disconnecting from LDAP server (server foo.uni-ulm.de:636).
> Wed Apr  6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error

this is strange as Radiator-4.x has explicit support for reconnecting
to ldap servers after an idle timeout.

> See the config part below:
>
> <AuthBy LDAP2>
>     PacketTrace
>     HoldServerConnection
>     NoDefault
>
>     Host                foo.uni-ulm.de
>     Version             3
>     FailureBackoffTime  3
>
>     UseSSL
>     SSLVerify           require
>     SSLCAFile           %D/certificates/ca-bundle.crt
>
>     AuthDN              cn=secret
>     AuthPassword        more-secret
>
>     BaseDN              ou=bar,dc=uni-ulm,dc=de
>     Scope               one
>
>     # username oder e-mail
>     SearchFilter        (|(mail=%1)(uid=%1))
>     PasswordAttr        userPassword
> </AuthBy>

Perhaps  as you only have one ldap server to forward to you should set
FailureBackoffTime to 0 to allow radiator to immediatly to reconnect.

Casual reading of the source code makes me think this might be the problem.

<snipp/>
> HINTS:
>
> I didn't see this problem with RADIATOR 3.11.
> Sigh, I can't go back to 3.11 to verify it definitely.
> Sigh, I know, it's a big step from 3.11 to 4.7.
>
> The LDAP server didn't change during the RADIATOR upgrade.
> We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest.

As a side note and nothing to do with your current problem.

Latest stable is openldap-2.4.23 and latest released is 2.4.25. You
should consider updating for anything but a trivial directory setup.
There have been lots of fixes since openldap 2.3.

Greetings
Christian

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer

More information about the radiator mailing list