Multiple Ldap resolver

Hello,
I try to configure privacyidea with several ldap resolvers.

So my configuration is:
ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap
server Up and running…

But if I stop the first ldap server (ldap: //ldap.server1), all my radius
connections fail.

My server logs are:
rlm_perl: privacyIDEA Access Granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added peer NAS-IP-Address = X.X.X.X
rlm_perl: Added peer Password = User-pin + otp
rlm_perl: par Added User-Name = user1
rlm_perl: Added par Message-Authenticator =
0x5d30dd28f37b8a45f34cf3a93472db58
rlm_perl: Added peer NAS-Port = 0
rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA = OATH0000D202
rlm_perl: Added par Reply-Message = privacyIDEA Access Granted
rlm_perl: Added together Auth-Type = Perl
++ [Perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Reply-Message = "privacyIDEA Access Granted"
Finished 0 request.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
Cleaning up request with timestamp 53 0 ID 601
Ready to process requests.

And client side with the command radtest:
0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks
Brian

You should provide debug information, that helps.
You stated, that this might be a privacyIDEA issue - so why do you
provide some RADIUS output?

Use the Auth API /validate/check and take a look into the
privacyidea.log file.

Kind regards
CorneliusAm Montag, den 08.08.2016, 15:22 -0700 schrieb BrianP:

Hello,
I try to configure privacyidea with several ldap resolvers.

So my configuration is:
ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap
server Up and running…

But if I stop the first ldap server (ldap: //ldap.server1), all my
radius connections fail.

My server logs are:
rlm_perl: privacyIDEA Access Granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added peer NAS-IP-Address = X.X.X.X
rlm_perl: Added peer Password = User-pin + otp
rlm_perl: par Added User-Name = user1
rlm_perl: Added par Message-Authenticator =
0x5d30dd28f37b8a45f34cf3a93472db58
rlm_perl: Added peer NAS-Port = 0
rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA =
OATH0000D202
rlm_perl: Added par Reply-Message = privacyIDEA Access Granted
rlm_perl: Added together Auth-Type = Perl
++ [Perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Reply-Message = “privacyIDEA Access Granted”
Finished 0 request.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
Cleaning up request with timestamp 53 0 ID 601
Ready to process requests.

And client side with the command radtest:
0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks
Brian

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

You are also unclear.

I sounds like you are using ONE resolver with two LDAP servers
specified.
Not multiple resolvers?

Please improve your request.Am Montag, den 08.08.2016, 15:22 -0700 schrieb BrianP:

Hello,
I try to configure privacyidea with several ldap resolvers.

So my configuration is:
ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap
server Up and running…

But if I stop the first ldap server (ldap: //ldap.server1), all my
radius connections fail.

My server logs are:
rlm_perl: privacyIDEA Access Granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added peer NAS-IP-Address = X.X.X.X
rlm_perl: Added peer Password = User-pin + otp
rlm_perl: par Added User-Name = user1
rlm_perl: Added par Message-Authenticator =
0x5d30dd28f37b8a45f34cf3a93472db58
rlm_perl: Added peer NAS-Port = 0
rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA =
OATH0000D202
rlm_perl: Added par Reply-Message = privacyIDEA Access Granted
rlm_perl: Added together Auth-Type = Perl
++ [Perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Reply-Message = “privacyIDEA Access Granted”
Finished 0 request.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
Cleaning up request with timestamp 53 0 ID 601
Ready to process requests.

And client side with the command radtest:
0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks
Brian

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Sorry if I am unclear.

I created one ldap resolver with 2 ldap URI like the doc :
http://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html?highlight=ldap

If I understand the doc, this configuration create a ldap pool with round
robin strategy.

I will test with debug mode and send more information.

ThanksLe mardi 9 août 2016 00:37:52 UTC+2, Cornelius Kölbel a écrit :

You are also unclear.

I sounds like you are using ONE resolver with two LDAP servers
specified.
Not multiple resolvers?

Please improve your request.

Am Montag, den 08.08.2016, 15:22 -0700 schrieb BrianP:

Hello,
I try to configure privacyidea with several ldap resolvers.

So my configuration is:
ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap
server Up and running…

But if I stop the first ldap server (ldap: //ldap.server1), all my
radius connections fail.

My server logs are:
rlm_perl: privacyIDEA Access Granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added peer NAS-IP-Address = X.X.X.X
rlm_perl: Added peer Password = User-pin + otp
rlm_perl: par Added User-Name = user1
rlm_perl: Added par Message-Authenticator =
0x5d30dd28f37b8a45f34cf3a93472db58
rlm_perl: Added peer NAS-Port = 0
rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA =
OATH0000D202
rlm_perl: Added par Reply-Message = privacyIDEA Access Granted
rlm_perl: Added together Auth-Type = Perl
++ [Perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Reply-Message = "privacyIDEA Access Granted"
Finished 0 request.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
Cleaning up request with timestamp 53 0 ID 601
Ready to process requests.

And client side with the command radtest:
0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks
Brian

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Brian,

thanks a lot for the feedback and reporting your experiences!

Kind regards
CorneliusAm Mittwoch, den 10.08.2016, 14:00 -0700 schrieb BrianP:

Hello Cornelius,

Every thing is OK now.
In fact, there was no problem.

Connections via the API were always OK, with one or 2 LDAP servers.
The problem in my case was the response time.

With a single LDAP server, the response times are very long (sometimes
30s).
My tests with radtest all failed because radtest do not wait the
response.

I use PrivacyIdea with Openvpn + plugin radius
By increasing the response time in the radius plugin configuration,
everything works.

Sorry for the noise
Regards
Le mardi 9 août 2016 01:05:43 UTC+2, BrianP a écrit :
Sorry if I am unclear.

    I created one ldap resolver with 2 ldap URI like the doc :
    http://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html?highlight=ldap
    
    
    If I understand the doc, this configuration create a ldap pool
    with round robin strategy.
    
    
    I will test with debug mode and send more information.
    
    
    Thanks
    
    Le mardi 9 août 2016 00:37:52 UTC+2, Cornelius Kölbel a
    écrit :
            You are also unclear. 
            
            I sounds like you are using ONE resolver with two LDAP
            servers 
            specified. 
            Not multiple resolvers? 
            
            Please improve your request. 
            
            Am Montag, den 08.08.2016, 15:22 -0700 schrieb
            BrianP: 
            > Hello, 
            > I try to configure privacyidea with several ldap
            resolvers. 
            > 
            > 
            > So my configuration is: 
            > ldap: //ldap.server1, ldap: //ldap.server2 
            > 
            > 
            > The resolver test is OK. 
            > 
            > 
            > I manage to connect with radius server without
            problem with both ldap 
            > server Up and running.. 
            > 
            > 
            > But if I stop the first ldap server
            (ldap: //ldap.server1), all my 
            > radius connections  fail. 
            > 
            > 
            > My server logs are: 
            > rlm_perl: privacyIDEA Access Granted 
            > rlm_perl: return RLM_MODULE_OK 
            > rlm_perl: Added peer NAS-IP-Address = X.X.X.X 
            > rlm_perl: Added peer Password = User-pin + otp 
            > rlm_perl: par Added User-Name = user1 
            > rlm_perl: Added par Message-Authenticator = 
            > 0x5d30dd28f37b8a45f34cf3a93472db58 
            > rlm_perl: Added peer NAS-Port = 0 
            > rlm_perl: ERROR: Failed to create peer-Serial
            privacyIDEA = 
            > OATH0000D202 
            > rlm_perl: Added par Reply-Message = privacyIDEA
            Access Granted 
            > rlm_perl: Added together Auth-Type = Perl 
            > ++ [Perl] returns ok 
            >   WARNING: Empty post-auth section. Using default
            return values. 
            > Sending Access-Accept id of 53 to X.X.X.X 53768
            Port 
            > Reply-Message = "privacyIDEA Access Granted" 
            > Finished 0 request. 
            > Going to the next request 
            > Waking up in 4.9 seconds. 
            > rad_recv: Access-Request packet from host X.X.X.X
            53768 port, id = 53, 
            > length = 94 
            > Sending duplicate reply to customer cerbere 53768
            Port - ID: 53 
            > Sending Access-Accept id of 53 to X.X.X.X 53768
            Port 
            > Waking up in 4.9 seconds. 
            > rad_recv: Access-Request packet from host X.X.X.X
            53768 port, id = 53, 
            > length = 94 
            > Sending duplicate reply to customer cerbere 53768
            Port - ID: 53 
            > Sending Access-Accept id of 53 to X.X.X.X 53768
            Port 
            > Waking up in 4.9 seconds. 
            > Cleaning up request with timestamp 53 0 ID 601 
            > Ready to process requests. 
            > 
            > 
            > 
            > 
            > And client side with the command radtest: 
            > 0) No reply from server socket 53 for ID 3 
            > 
            > 
            > 
            > 
            > Do you have any idea about this pb ? 
            > 
            > 
            > Many thanks 
            > Brian 
            > -- 
            > Please read the blog post about getting help 
            > https://www.privacyidea.org/getting-help/. 
            >   
            > For professional services and consultancy regarding
            two factor 
            > authentication please visit 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >   
            > In an enterprise environment you should get a
            SERVICE LEVEL AGREEMENT 
            > which suites your needs for SECURITY, AVAILABILITY
            and LIABILITY: 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            > --- 
            > You received this message because you are subscribed
            to the Google 
            > Groups "privacyidea" group. 
            > To unsubscribe from this group and stop receiving
            emails from it, send 
            > an email to privacyidea...@googlegroups.com. 
            > To post to this group, send email to
            priva...@googlegroups.com. 
            > Visit this group at
            https://groups.google.com/group/privacyidea. 
            > To view this discussion on the web visit 
            >
            https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com. 
            > For more options, visit
            https://groups.google.com/d/optout. 
            
            -- 
            Cornelius Kölbel 
            corneliu...@netknights.it 
            +49 151 2960 1417 
            
            NetKnights GmbH 
            http://www.netknights.it 
            Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
            Tel: +49 561 3166797, Fax: +49 561 3166798 
            
            Amtsgericht Kassel, HRB 16405 
            Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/06b64a2f-428f-4e15-b443-5a7ca13aa00e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hello Cornelius,

Every thing is OK now.
In fact, there was no problem.

Connections via the API were always OK, with one or 2 LDAP servers.
The problem in my case was the response time.

With a single LDAP server, the response times are very long (sometimes 30s).
My tests with radtest all failed because radtest do not wait the response.

I use PrivacyIdea with Openvpn + plugin radius
By increasing the response time in the radius plugin configuration,
everything works.

Sorry for the noise
RegardsLe mardi 9 août 2016 01:05:43 UTC+2, BrianP a écrit :

Sorry if I am unclear.

I created one ldap resolver with 2 ldap URI like the doc :

http://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html?highlight=ldap

If I understand the doc, this configuration create a ldap pool with round
robin strategy.

I will test with debug mode and send more information.

Thanks

Le mardi 9 août 2016 00:37:52 UTC+2, Cornelius Kölbel a écrit :

You are also unclear.

I sounds like you are using ONE resolver with two LDAP servers
specified.
Not multiple resolvers?

Please improve your request.

Am Montag, den 08.08.2016, 15:22 -0700 schrieb BrianP:

Hello,
I try to configure privacyidea with several ldap resolvers.

So my configuration is:
ldap: //ldap.server1, ldap: //ldap.server2

The resolver test is OK.

I manage to connect with radius server without problem with both ldap
server Up and running…

But if I stop the first ldap server (ldap: //ldap.server1), all my
radius connections fail.

My server logs are:
rlm_perl: privacyIDEA Access Granted
rlm_perl: return RLM_MODULE_OK
rlm_perl: Added peer NAS-IP-Address = X.X.X.X
rlm_perl: Added peer Password = User-pin + otp
rlm_perl: par Added User-Name = user1
rlm_perl: Added par Message-Authenticator =
0x5d30dd28f37b8a45f34cf3a93472db58
rlm_perl: Added peer NAS-Port = 0
rlm_perl: ERROR: Failed to create peer-Serial privacyIDEA =
OATH0000D202
rlm_perl: Added par Reply-Message = privacyIDEA Access Granted
rlm_perl: Added together Auth-Type = Perl
++ [Perl] returns ok
WARNING: Empty post-auth section. Using default return values.
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Reply-Message = "privacyIDEA Access Granted"
Finished 0 request.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host X.X.X.X 53768 port, id = 53,
length = 94
Sending duplicate reply to customer cerbere 53768 Port - ID: 53
Sending Access-Accept id of 53 to X.X.X.X 53768 Port
Waking up in 4.9 seconds.
Cleaning up request with timestamp 53 0 ID 601
Ready to process requests.

And client side with the command radtest:
0) No reply from server socket 53 for ID 3

Do you have any idea about this pb ?

Many thanks
Brian

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/e89942d0-f883-4238-9fff-b6b82238df0d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel