Auth-Type Fall-Through & ldap timeouts

Tobias Hachmer lists at kokelnet.de
Wed Apr 18 14:51:29 CEST 2012


Am 18.04.2012 14:36, schrieb Phil Mayers:
> On 18/04/12 13:16, Tobias Hachmer wrote:
>> Ok, I configure the same users, these are about 10-15 users, which
>> are stored in Active Directory, in the sql database. The sql 
>> database
>> schould be used for authentication only if the ldap servers are not
>> available.
>
> So the SQL server contains an "emergency" subset of the real users?
Yes, that's what I tried to explain.

>> So I just sniffed the network for packets and recognized that my
>> freeradius machine sends out a lot of arp packets for the dns
>> server. Then I added the ldap server to the hosts file and now the
>> net_timeout = 1 seems to work. The timeouts now are ok and the first
>> radius-request is answered in time.
>
> Ok, that's good to know.
>
> This is sort of what I mean when I refer to libldap having an API
> that is sub-optimal in some cases; the net_timeout should really 
> apply
> to an entire connection attempt, not just the connect() or read()
> calls.
>
> It's hard to know what FreeRADIUS can do about this; maybe there is
> scope for some kind of long-lived helper process that pools and polls
> the LDAP servers, pro-actively detecting failures. But it seems a
> complex solution.

I worried about this, so I asked for any other opportunities.

Tobias Hachmer



More information about the Freeradius-Users mailing list