Auth-Type Fall-Through & ldap timeouts
Phil Mayers
p.mayers at imperial.ac.uk
Wed Apr 18 14:36:20 CEST 2012
On 18/04/12 13:16, Tobias Hachmer wrote:
> Ok, I configure the same users, these are about 10-15 users, which
> are stored in Active Directory, in the sql database. The sql database
> schould be used for authentication only if the ldap servers are not
> available.
So the SQL server contains an "emergency" subset of the real users?
I guess that makes sense.
>> Which LDAP client libraries are you using, and which version?
> I use debian squeeze with libldap package libldap-2.4-2, an apt-cache
> show libldap-2.4-2 shows the Version: 2.4.23-7.2
>
>> Which version of FreeRADIUS?
> FreeRADIUS 2.1.12
>
>> What does a "tcpdump" show for port 389 during your tests? Do you
>> get TCP RSTs, ICMP errors, or what?
> So I just sniffed the network for packets and recognized that my
> freeradius machine sends out a lot of arp packets for the dns
> server. Then I added the ldap server to the hosts file and now the
> net_timeout = 1 seems to work. The timeouts now are ok and the first
> radius-request is answered in time.
Ok, that's good to know.
This is sort of what I mean when I refer to libldap having an API that
is sub-optimal in some cases; the net_timeout should really apply to an
entire connection attempt, not just the connect() or read() calls.
It's hard to know what FreeRADIUS can do about this; maybe there is
scope for some kind of long-lived helper process that pools and polls
the LDAP servers, pro-actively detecting failures. But it seems a
complex solution.
More information about the Freeradius-Users
mailing list