Hi, On Wed, Oct 16, 2013 at 10:00:45AM +0100, A.L.M.Buxey@lboro.ac.uk wrote:
I've just sent a pull request that adds an option 'timeout' to rlm_exec and 'ntlm_auth_timeout' to rlm_mschap. Defaults are both 10s (the current setting). The ntlm_auth timeout can only be reduced... I can't imagine a correctly functioning AD domain where a successful auth takes >10s.
how does this sort of thing interplay with those people who are using the MSCHAP password retry feature - which would, I believe, cause the module itself not to return until the user has finally put in a succesful password - which might be longer than eg 30s
I don't think this will be an issue - that will be eap/radius timers? The current hardcoded timeout for an exec is 10 seconds, so ntlm_auth could never be running for longer than that or it will get killed off. I've not looked at it, but I assume any password retries will re-run ntlm_auth each time (it can't pass a new password to an existing one, as it's passed on the command line - which I guess the pipe thing is all about fixing). Cheers, Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>