[RADIATOR] LDAPS connection problem

Heikki Vatiainen hvn at open.com.au
Fri Oct 19 04:01:54 CDT 2012


On 10/18/2012 06:33 PM, Alexander Hartmaier wrote:

> I've upgraded the radiator servers from 4.8 to 4.10 with current patches
> in hope of a fix but it still shows the same behaviour:
> 
> Sometimes it works:
> Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
> Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server
> 10.1.2.1 10.1.2.2:636
> 
> Sometimes it doesn't:
> Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
> Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to
> 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.
> 
> BTW the debug output is really puzzling when you configure more than one
> server/ip-address and should be changed to only show the server/ip
> that's used to try the connection!

The reference manual talks briefly about this:

  ... Multiple space separated host names can be specified
      and Net::LDAP will choose the first available one. ...

What happens is radiusd passes all hosts to Net::LDAP which then uses
its own methods for trying to contact the hosts. For this reason the log
entry sort of makes sense. In other words, specifying multiple names or
addresses for Host can be useful, but it takes some of the control away
from radiusd.

If you want full control for contacting LDAP servers, you can specify
two AuthBy LDAP2 clauses both with just a single Host. When there's a
connection or query problem, the AuthBy will return IGNORE and the
default AuthByPolicy (ContinueWhileIgnore) will then switch to the next
AuthBy.

AuthBy LDAP2 also support FailureBackoffTime. In case of error, the
failed AuthBy LDAP2 clause will be left alone to recover for the
specified time.

> That's our config:
> 
> <AuthBy LDAP2>
>         # Save time by never looking for a default
>         NoDefault
> 
>         Host 10.1.2.1 10.1.2.2
>         Port 636

Here Net::LDAP will take care of retrying, timeouts etc. until all hosts
have been tried.


Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.


More information about the radiator mailing list