On 10/17/2011 06:58 PM, Alan Buxey wrote:
Hi,
Sounds nice! Out of curiosity: any plans to make LDAP connections persistent and pooled as well? one of my customers has very high numbers of LDAP calls in authorize, and needs to do LDAPS. The TLS session setup load is very uncomfortable right now.
why do they have a very high number of calls to LDAP? Are they calling LDAP in the outerID of EAP requests? are they calling LDAP for non local requests?
N.B. as per the discussion on the Janet-roaming mailing list a while back, and on this list a bit later - if you're running PEAP/MS-CHAP, even running LDAP on the inner tunnel will, currently, incur 3 LDAP lookups, one for each pass through the inner tunnel - EAP-identity, EAP-MSCHAP, EAP-success. Once I've failed my exam tomorrow (haha! just kidding... I hope) I will have some free time, and will revisit the EAP code changes needed to make this not happen. Or you could use the vilest unlang ever devised[1] # stop processing authorize on eap identity or mschap success/fail if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) { noop } else { # rest if your inner EAP goes here } BWahahahaha! Cheers, Phil [1] Unlang may not actually be the vilest ever devised