LDAP, old TCP connections, and retry

Alan DeKok aland at deployingradius.com
Wed Mar 10 08:34:09 CET 2010

Justin Steward wrote:
> Question 1:
> The LDAP server which the radius server attempts to connect to is
> located behind a firewall which kills TCP connections that have been
> idle for 30 minutes. FR then tries to do a lookup using a connection
> that has been open and idle for half an hour or more, and the firewall
> drops the now invalid connection.

  I fail to understand why people do this.  Firewall two critical
components, and then *increase* failure by having the FW break TCP

> How can I force an idle timeout on LDAP connections in FR?

  Change the source code in rlm_ldap.

> Question 2:
>>From the information I have been given, it appears that if the
> connection times out, LDAP does not attempt to retry.
> Is there a way to force FR to make 1 or 2 attempts at retrying the
> connection before giving up on LDAP?

  Change the source code.

> The current situation is causing many headaches trying to log in, and
> the client is reluctant to relax their firewall for a number of
> reasons.

  <shrug>  They chose to destroy their own network.  I'm not surprised
they're hesitant to fix it.

  Alan DeKok.

More information about the Freeradius-Users mailing list