Failed (re-)authentification after some time...
Alan DeKok
aland at deployingradius.com
Thu Sep 2 14:46:00 CEST 2010
Jan Zacharias wrote:
> Alan DeKok <aland at deployingradius.com> hat am 1. September 2010 um 15:46
> geschrieben:
>> Yes. Any child script which takes that long is broken.
>
> No, it can also be just someone pulling a network cord/routing changes
> etc.etc.
Let me be clear: RADIUS clients and servers expect responses within a
short time frame, usually milliseconds. Asking clients to wait many
seconds for a slow script on the server is *impossible*. Many clients
will give up, and reject the user.
i.e. the RADIUS client doesn't care *why* the script is taking too
long. All it knows is that the user can't log in.
Please explain to your users
>> - fork ntlm_auth
>> - wait 1s for it to return
>> - if it doesn't return, kill it
>> - try to fork it again
>
> Yeah sure, this was also my first idea, but i'm still limited to ten
> seconds then :(
So... set the "don't wait" flag on the executed program. See the
documentation for the "exec" module, or the "Exec-Program" attribute.
>> This isn't a server problem, and changing the server isn't necessary.
>
> Sure it's not a problem, but it would improve reliability and robustness.
No, it would not improve reliability and robustness. Adding more
> This is not about finger pointing or so, I just want to help make
> freerad even better :)
Yes... but we try not to re-invent the wheel. If you can add a
feature by writing a few lines of a shell script, there is little reason
to update the server source with that feature.
Alan DeKok.
More information about the Freeradius-Users
mailing list