[RADIATOR] LDAP_OPERATIONS_ERROR

Christian Kratzer ck-lists at cksoft.de
Tue Dec 13 07:34:45 CST 2011


Hi,

On Tue, 13 Dec 2011, Jim Tyrrell wrote:
> Hi,
>
> Can someone shed light on what the error message "LDAP_OPERATIONS_ERROR"
> actually means?  I am seeing this quite frequently in the logs of our
> Radius servers that connect to a load balanced cluster of LDAP servers.
> I had suspected the connection being dropped/timed out on firewalls or
> the load balancer, but Radiator is reporting this immediately after
> attempting the lookup:
>
>
> Tue Dec 13 10:04:49 2011: DEBUG: Rewrote user name to user123 at domain.com
> Tue Dec 13 10:04:49 2011: DEBUG: Packet dump:
> *** Received from 1.2.3.4 1645 ....
> Tue Dec 13 10:04:49 2011: DEBUG: Handling request with Handler
> 'Called-Station-Id = /xxxxxxxx/'
> Tue Dec 13 10:04:49 2011: DEBUG: Rewrote user name to user123 at domain.com
> Tue Dec 13 10:04:49 2011: DEBUG: Handling with Radius::AuthLDAP2:
> Tue Dec 13 10:04:49 2011: ERR: ldap search for
> (&(uid=user123 at domain.com)(objectstatus=enable)(rasstatus=enable))
> failed with error LDAP_OPERATIONS_ERROR.
> Tue Dec 13 10:04:49 2011: ERR: Disconnecting from LDAP server (server
> ldap-cluster:389).
> Tue Dec 13 10:04:49 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User
> database access error
>
> I cant see any obvious errors on the LDAP servers.  I assume as the
> error message is instant after the lookup then it is getting some sort
> of response from LDAP but doesnt like it for some reason?

we used to get this a lot when the ldap servers were closing idle connections after a certain timeout.

Radiator noticed the socket was gone when it tried to perform the next query on it and then logged an LDAP_OPERATIONS_ERROR.

This happened quite often on certain ldap servers that did not get a steady query load and thus had a changed to run into their idle timeout.

You might want to confirm this is the case by running a packet capture of traffic between your radius and your ldap servers.

Recent versions of AudhBy LDAP2 in Radiator automatically reconnect in these cases so you do not lose an auth request and get now operations error.

Greetings
Christian Kratzer
CK Software GmbH


>
> Thanks.
>
> Jim.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

-- 
Christian Kratzer                      CK Software GmbH
Email:   ck at cksoft.de                  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian Kratzer


More information about the radiator mailing list