Tweaking LDAP parameters
Alan DeKok
aland at deployingradius.com
Wed Apr 13 13:58:08 CEST 2016
On Apr 13, 2016, at 5:12 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
> Yesterday, I moved a fair chunk of our on-site wireless to FreeRADIUS as we migrate from our NPS servers. I have had a number of complaints of users being forced to reauthenticate (prompted for their password again) on odd occasions throughout the day. Logs show a login incorrect:
>
> Tue Apr 12 15:06:47 2016 : Auth: (264236) Login OK: [xxx at kent.ac.uk] (from client cwlc-tlb port 2 cli a8:66:7f:12:a9:b9)
Those logs are useless. Post the debug log as suggested in the FAQ, "man" page, web pages, and daily on this list.
Posting OTHER logs is just wasting everyones time.
> It looks like it is rejecting the auth because it can not make the LDAP connection to validate the user.
It looks like the *real* reason why the user is disconnected is in the debug logs.
> Two questions on this. First, is it possible to allow clients a couple of attempts to retry their authentication before completely rejecting and forcing them to enter their password again?
No. The authentication process is driven entirely by the client. There's no way for the RADIUS server to push configuration to the client.
> Second, are there any rules of thumb regarding setting min, max and spare for LDAP connections? At the moment I have:
Set them the same as the thread pools.
Alan DeKok.
More information about the Freeradius-Users
mailing list