LDAP Config Clarification

Alan DeKok aland at deployingradius.com
Tue Mar 17 10:37:24 CET 2009


Jason Frisvold wrote:
> 	I recently set up a new freeradius installation for VPN authentication.
>  This is my first foray into using the LDAP module and, while I am
> successfully authenticating, I want to make sure that my config is both
> correct and streamlined.  I am seeing a few failed authentications due
> to loss of LDAP connections, so I'm also trying to identify where that
> problem exists.

  Likely because the LDAP connections time out, and are closed.

> 	The radius server is currently very low use, handling only a few
> requests an hour.  This may increase later on, but I don't see it having
> to handle more than a few requests per minute.  However, I would like to
> make sure those requests are handled efficiently and quickly.

  Yes... that little traffic will result in LDAP connection timeouts.

> In our users file, we have the following :
> 
> DEFAULT Auth-Type := Reject
>         Fall-Through = 1

  Huh?  Why?

> DEFAULT Ldap-Group == "cn=vpn,ou=groups,o=myorg", Auth-Type := Accept
>         Fall-Through = 1

  Do you really want to accept these users without checking their
passwords?  That's a *very* bad idea.

> I was able to get this to work, but it appears that every group is
> scanned to find the user rather than merely using the memberOf attribute
> in the main LDAP record.  Is there a way to trigger on that rather than
> scanning the groups?

  The group membership configurations should ensure that it's using the
memberOf attribute.

> In the main radius config, can I remove all of the unused modules?  I
> don't believe we're using PAP/CHAP/MS-CHAP at all, nor are we using the
> unix passwd file or EAP.  Those can all be commented out to save
> time/resources, correct?

  Why are you not checking passwords?  That's a bad idea...

  If you don't use a module, you can delete all references to it.  It
will make some *minor* difference in performance.  But if you're getting
a few requests a minute, that difference will be miniscule.

  Alan DeKok.



More information about the Freeradius-Users mailing list