Version 2.1.10

 

Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down?

 

LDAP Module:

 

ldap {

        #

        #  Note that this needs to match the name in the LDAP

        #  server certificate, if you're using ldaps.

        server = "172.28.64.10"

        identity = "CN=User Name,OU=Phoenix_Users,DC=company,DC=com"

        password = password

        basedn = "DC=company,DC=com"

        filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"

        groupname_attribute = cn

        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{contr$

        groupmembership_attribute = memberOf

        # base_filter = "(objectclass=radiusprofile)"

 

        #  How many connections to keep open to the LDAP server.

        #  This saves time over opening a new LDAP socket for

        #  every authentication request.

        ldap_connections_number = 5

 

 

Debug:

 

Ready to process requests.

rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85

                User-Name = "RadiusUser"

                User-Password = "password"

                NAS-Port = 3

                NAS-Port-Id = "tty3"

                NAS-Port-Type = Virtual

                Calling-Station-Id = "172.28.64.119"

                NAS-IP-Address = 172.28.64.3

# Executing section authorize from file /etc/freeradius/sites-enabled/default

+- entering group authorize {...}

++[preprocess] returns ok

++[chap] returns noop

++[mschap] returns noop

++[digest] returns noop

[suffix] No '@' in User-Name = "RadiusUser", looking up realm NULL

[suffix] No such realm "NULL"

++[suffix] returns noop

[eap] No EAP-Message, not doing EAP

++[eap] returns noop

  [ldap] Entering ldap_groupcmp()

[files]    expand: DC=company,DC=com -> DC=company,DC=com

[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[files]    ... expanding second conditional

[files]    expand: %{User-Name} -> RadiusUser

[files]    expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] attempting LDAP reconnection

  [ldap] (re)connect to 172.28.64.10:389, authentication 0

  [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389

  [ldap] waiting for bind result ...

  [ldap] Bind was successful

  [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))

  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com

  [ldap] ldap_release_conn: Release Id: 0

[files]    expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in DC=company,DC=com, with filter (&(cn=Radius-Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))))

  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com

  [ldap] object not found

  [ldap] ldap_release_conn: Release Id: 0

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*)

  [ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users)

rlm_ldap::ldap_groupcmp: User found in group Radius-Users

  [ldap] ldap_release_conn: Release Id: 0

[files] users: Matched entry DEFAULT at line 176

++[files] returns ok

[ldap] performing user authorization for RadiusUser

[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details

[ldap]    ... expanding second conditional

[ldap]    expand: %{User-Name} -> RadiusUser

[ldap]    expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))

[ldap]    expand: DC=company,DC=com -> DC=company,DC=com

  [ldap] ldap_get_conn: Checking Id: 0

  [ldap] ldap_get_conn: Got Id: 0

  [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))

  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com

  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com

[ldap] No default NMAS login sequence

[ldap] looking for check items in directory...

[ldap] looking for reply items in directory...

WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?

[ldap] user RadiusUser authorized to use remote access

  [ldap] ldap_release_conn: Release Id: 0

++[ldap] returns ok

++[expiration] returns noop

++[logintime] returns noop

[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.

++[pap] returns noop

++? if (!control:Auth-Type)

? Evaluating !(control:Auth-Type) -> TRUE

++? if (!control:Auth-Type) -> TRUE

++- entering if (!control:Auth-Type) {...}

+++[control] returns noop

++- if (!control:Auth-Type) returns noop

Found Auth-Type = ntlm_auth

# Executing group from file /etc/freeradius/sites-enabled/default

+- entering group authenticate {...}

[ntlm_auth]       expand: --username=%{mschap:User-Name} -> --username=RadiusUser

[ntlm_auth]       expand: --password=%{User-Password} -> --password=password

Exec-Program output: NT_STATUS_OK: Success (0x0)

Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)

Exec-Program: returned: 0

++[ntlm_auth] returns ok

# Executing section post-auth from file /etc/freeradius/sites-enabled/default

+- entering group post-auth {...}

++[exec] returns noop

Sending Access-Accept of id 98 to 172.28.64.3 port 1645

                Service-Type = NAS-Prompt-User

                Cisco-AVPair = "shell:priv-lvl=15"

                Motorola-WIBB-Auth-Role = security-officer-role

Finished request 0.

Going to the next request

Waking up in 4.9 seconds.

Cleaning up request 0 ID 98 with timestamp +17

Ready to process requests.

 

 

T. Brady