I am using freeRADIUS 3.0 with two data sources:

  • users file
  • openldap

The configuration is working fine, but when freeRADIUS is started at power-on, and LDAP server is not available, freeRADIUS complain and don't start.

So, is there a special configuration do say to freeRADIUS:

"hey, you can't bind now to LDAP, never mind, use only users file as data source." ?

Update 2017.02.11 ===========
/etc/raddb/sites-enabled/default and inner-tunnel files:

    authorize {
        eap {
           ok = return
        ldap {
          fail = 1
        if (fail) {

Extract from debug mode:

radiusd -X
FreeRADIUS Version 3.0.16
rlm_ldap (ldap): Initialising connection pool
   pool {
        start = 0
        min = 0
        max = 32
        spare = 0
        uses = 0
        lifetime = 0
        cleanup_interval = 30
        idle_timeout = 60
        retry_delay = 30
        spread = no
rlm_ldap (ldap): Loading dynamic clients
rlm_ldap (ldap): 0 of 0 connections in use.  You  may need to increase "spare"
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending slots used
rlm_ldap (ldap): Connecting to ldap://srv1.lan4:636
rlm_ldap (ldap): Bind with uid=radius,ou=users,dc=lan1 to ldap://srv1.lan4:636 failed: Can't contact LDAP server
rlm_ldap (ldap): Opening connection failed (0)
/etc/raddb/mods-enabled/ldap[312]: Error loading clients
/etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap"
  • If the problem is that they run on the same server, that is more a start-up priority/dependancy problem which can be solved by simply making freeRadius dependant on the successful start-up of the openldap server, rather than starting both concurrently. – HBruijn Feb 08 '18 at 13:40
  • In fact it is a needed behaviour because data in users file enable critical network connectivity and LDAP server can't be available if critical network device are not authorized by RADIUS ;) –  Feb 08 '18 at 14:38

1 Answers1


Use the redundant section e.g.

authorize {
    redundant {

If the first module fails, the second module will be called.

If you want the server to start if LDAP is unavailable set the pool.start configuration parameter to zero.

If you want to ignore the fact that the ldap module failed

authorize {
    ldap {
        fail = 1
    if (fail) {
Arran Cudbard-Bell
  • 1,514
  • 1
  • 9
  • 18
  • To clarify, 'files' data store does not contain the same data as 'ldap' data store. Both are complementary data: 'files' for critical network device and 'ldap' for user's network devices. So 'redundant' can't be used because in 'instantiate {}' section of radiusd.conf we have to use a 'virtual module name' that involve 'ldap' OR 'files' but not 'ldap' AND 'files'. –  Feb 10 '18 at 13:06
  • What I've tryed: instantiate { ldap { fail = 1 } } but does not works: radiusd.conf[742]: Cannot set return codes in a ldap block –  Feb 10 '18 at 13:07
  • The problem is at ldap module init: rlm_ldap (ldap): Bind with uid=radius,ou=users,dc=lan1 to ldap://srv1.lan4:636 failed: Can't contact LDAP server rlm_ldap (ldap): Opening connection failed (0) /etc/raddb/mods-enabled/ldap[312]: Error loading clients /etc/raddb/mods-enabled/ldap[8]: Instantiation failed for module "ldap" –  Feb 10 '18 at 13:14
  • Added more notes – Arran Cudbard-Bell Feb 10 '18 at 16:25
  • As you can see on my updated question, I have set your configuration including pool.start=0, but freeradius refuse starting. Could it be a bug in ldap module ? –  Feb 11 '18 at 12:38