On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell <a.cudbardb@freeradius.org> wrote:
[snip]
Yeah it'll just bog down your LDAP server instead. You should use rlm_cache to cache the result of the LDAP lookup (once you have all this working)*.
Have you added nostrip for all the realms? The only way I can see it clobbering username is if stripping is enabled.
So that was my first thought too. However, I have limited visibility into the remote lab crypto server and when I sent a request to with a realm included, it flat out dropped the request. Didn't reply at all. So I need the realm to so the proxy portion can hit the right destination, but I need the User-Name stripped so the remote server can understand it.
-Arran
PS: You know you want to test the threaded version of the updated rlm_krb5 module :)
I do! Once I get this configuration working I'll be happy to try it. One of my todos for this whole config revamp is to stress test the environment against a brute force attack (we get them frequently). Then I'll have some before numbers to compare with the after.
* Only use the rlm_cache module from 2.2.1 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html