[RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

Heikki Vatiainen hvn at open.com.au
Wed Apr 6 16:44:09 CDT 2011 

On 04/06/2011 03:39 PM, Christian Kratzer wrote:

>> Wed Apr  6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed with error LDAP_SERVER_DOWN.
>> Wed Apr  6 00:32:34 2011: ERR: Disconnecting from LDAP server (server foo.uni-ulm.de:636).
>> Wed Apr  6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database access error
> 
> this is strange as Radiator-4.x has explicit support for reconnecting
> to ldap servers after an idle timeout.

Indeed. The function that has "ldap search for ..." error message does
LDAP reconnect as the first thing. Reconnect should notice the closed
connection and then connect again.

It might be a good idea to upgrade since the newer versions might do
better job with sending notices about the disonnect.

If upgrade is not possible, then commenting out HoldServerConnection
will probably help too.

>> See the config part below:
>>
>> <AuthBy LDAP2>
>>     PacketTrace
>>     HoldServerConnection
>>     NoDefault
>>
>>     Host                foo.uni-ulm.de
>>     Version             3
>>     FailureBackoffTime  3
>>
>>     UseSSL
>>     SSLVerify           require
>>     SSLCAFile           %D/certificates/ca-bundle.crt
>>
>>     AuthDN              cn=secret
>>     AuthPassword        more-secret
>>
>>     BaseDN              ou=bar,dc=uni-ulm,dc=de
>>     Scope               one
>>
>>     # username oder e-mail
>>     SearchFilter        (|(mail=%1)(uid=%1))
>>     PasswordAttr        userPassword
>> </AuthBy>
> 
> Perhaps  as you only have one ldap server to forward to you should set
> FailureBackoffTime to 0 to allow radiator to immediatly to reconnect.
> 
> Casual reading of the source code makes me think this might be the problem.
> 
> <snipp/>
>> HINTS:
>>
>> I didn't see this problem with RADIATOR 3.11.
>> Sigh, I can't go back to 3.11 to verify it definitely.
>> Sigh, I know, it's a big step from 3.11 to 4.7.
>>
>> The LDAP server didn't change during the RADIATOR upgrade.
>> We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest.
> 
> As a side note and nothing to do with your current problem.
> 
> Latest stable is openldap-2.4.23 and latest released is 2.4.25. You
> should consider updating for anything but a trivial directory setup.
> There have been lots of fixes since openldap 2.3.
> 
> Greetings
> Christian
> 


-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

More information about the radiator mailing list