Auth-Type Fall-Through & ldap timeouts

Phil Mayers p.mayers at
Wed Apr 18 14:36:20 CEST 2012

On 18/04/12 13:16, Tobias Hachmer wrote:

> Ok, I configure the same users, these are about 10-15 users, which
> are stored in Active Directory, in the sql database. The sql database
> schould be used for authentication only if the ldap servers are not
> available.

So the SQL server contains an "emergency" subset of the real users?

I guess that makes sense.

>> Which LDAP client libraries are you using, and which version?
> I use debian squeeze with libldap package libldap-2.4-2, an apt-cache
>  show libldap-2.4-2 shows the Version: 2.4.23-7.2
>> Which version of FreeRADIUS?
> FreeRADIUS 2.1.12
>> What does a "tcpdump" show for port 389 during your tests? Do you
>> get TCP RSTs, ICMP errors, or what?

> So I just sniffed the network for packets and recognized that my
> freeradius machine sends out a lot of arp packets for the dns
> server. Then I added the ldap server to the hosts file and now the
> net_timeout = 1 seems to work. The timeouts now are ok and the first
> radius-request is answered in time.

Ok, that's good to know.

This is sort of what I mean when I refer to libldap having an API that 
is sub-optimal in some cases; the net_timeout should really apply to an 
entire connection attempt, not just the connect() or read() calls.

It's hard to know what FreeRADIUS can do about this; maybe there is 
scope for some kind of long-lived helper process that pools and polls 
the LDAP servers, pro-actively detecting failures. But it seems a 
complex solution.

More information about the Freeradius-Users mailing list