Load balance LDAP servers for group checking

Petar Marinkovic highl1 at gmail.com
Mon May 15 10:58:26 CEST 2017 

Thanks. This message got lost in the chain, if anyone can maybe verify what
I am doing is right:

I have this in my ldap module config

        # seconds to wait for LDAP query to finish. default: 20
        timeout = 4

        #  seconds LDAP server has to process the query (server-side
        #  time limit). default: 20
        #
        #  LDAP_OPT_TIMELIMIT is set to this value.
        timelimit = 3

        #
        #  seconds to wait for response of the server. (network
        #   failures) default: 10
        #
        #  LDAP_OPT_NETWORK_TIMEOUT is set to this value.
        net_timeout = 1

And I am almost positve that I didn't change this one. Does this means I am
only allowing 4 seconds for LDAP query to finish, and only 3 for LDAP to
process? Also, timeout is just 1 second, which seems pretty low.
Guess that if my settings here are wrong, I can fix my problem just by
setting bigger values, since the LDAP is not down

Thanks for all your help!

On Fri, May 12, 2017 at 6:52 PM, Alan DeKok <aland at deployingradius.com>
wrote:

> On May 12, 2017, at 12:19 PM, Petar Marinkovic <highl1 at gmail.com> wrote:
> >
> > Well, LDAP is Windows AD, and they're constantly up, I more think it's a
> > issue from the KVM running freeradius VM, that for some reason networking
> > is lost, or the switches.
>
>   That's possible, too.
>
> > I would get failed authentications somewhere else
> > as well, not just through freeradius with group AD check.
>
>   Maybe.  But with v2, FreeRADIUS is probably doing more LDAP queries than
> anything else.
>
> > At v3, how long are the group checks cached? Is there a setting it can be
> > defined or ? Also, does that mean at the next re-authentication request,
> it
> > will check the MAC address and certificate, but will use the cached group
> > value?
>
>   No.  Each request is independent of others.
>
>   When it does the first LDAP group check, it caches *all* of the groups.
> So that subsequent group checks for the same request use the cached entries.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list