Multiple Ldap resolver

[BrianP]

Hello,

I try to configure privacyidea with several ldap resolvers.

So my configuration is:

ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap server Up and running..

But if I stop the first ldap server (ldap: //ldap.server1), all my radius connections  fail.

My server logs are:

rlm_perl: privacyIDEA Access Granted

rlm_perl: return RLM_MODULE_OK

rlm_perl: Added peer NAS-IP-Address = X.X.X.X

rlm_perl: Added peer Password = User-pin + otp

rlm_perl: par Added User-Name = user1

rlm_perl: Added par Message-Authenticator = 0x5d30dd28f37b8a45f34cf3a93472db58

rlm_perl: Added peer NAS-Port = 0

rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA = OATH0000D202

rlm_perl: Added par Reply-Message = privacyIDEA Access Granted

rlm_perl: Added together Auth-Type = Perl

++ [Perl] returns ok

  WARNING: Empty post-auth section. Using default return values.

Sending Access-Accept id of 53 to X.X.X.X 53768 Port

Reply-Message = "privacyIDEA Access Granted"

Finished 0 request.

Going to the next request

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53, length = 94

Sending duplicate reply to customer cerbere 53768 Port - ID: 53

Sending Access-Accept id of 53 to X.X.X.X 53768 Port

Waking up in 4.9 seconds.

rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53, length = 94

Sending duplicate reply to customer cerbere 53768 Port - ID: 53

Sending Access-Accept id of 53 to X.X.X.X 53768 Port

Waking up in 4.9 seconds.

Cleaning up request with timestamp 53 0 ID 601

Ready to process requests.

And client side with the command radtest:

0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks

Brian

[Cornelius Kölbel]

You should provide debug information, that helps.
You stated, that this might be a privacyIDEA issue - so why do you
provide some RADIUS output?

Use the Auth API /validate/check and take a look into the
privacyidea.log file.

Kind regards
Cornelius

> --
> Please read the blog post about getting help
> https://www.privacyidea.org/getting-help/.
>
> For professional services and consultancy regarding two factor
> authentication please visit
> https://netknights.it/en/leistungen/one-time-services/
>
> In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
> which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
> https://netknights.it/en/leistungen/service-level-agreements/
> ---
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to privacyidea...@googlegroups.com.
> To post to this group, send email to priva...@googlegroups.com.
> Visit this group at https://groups.google.com/group/privacyidea.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

[Cornelius Kölbel]

You are also unclear.

I sounds like you are using ONE resolver with two LDAP servers
specified.
Not multiple resolvers?

Please improve your request.

Am Montag, den 08.08.2016, 15:22 -0700 schrieb BrianP:

[BrianP]

Sorry if I am unclear.

I created one ldap resolver with 2 ldap URI like the doc :

http://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html?highlight=ldap

If I understand the doc, this configuration create a ldap pool with round robin strategy.

I will test with debug mode and send more information.

Thanks

[BrianP]

Hello Cornelius,

Every thing is OK now.

In fact, there was no problem.

Connections via the API were always OK, with one or 2 LDAP servers.

The problem in my case was the response time.

With a single LDAP server, the response times are very long (sometimes 30s).

My tests with radtest all failed because radtest do not wait the response.

I use PrivacyIdea with Openvpn + plugin radius

By increasing the response time in the radius plugin configuration, everything works.

Sorry for the noise

Regards

[Cornelius Kölbel]

Hello Brian,

thanks a lot for the feedback and reporting your experiences!

Kind regards
Cornelius

> https://groups.google.com/d/msgid/privacyidea/06b64a2f-428f-4e15-b443-5a7ca13aa00e%40googlegroups.com.