On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap and tls negotiations? Like having an attribute that I could test for which would tell me that the negotiation is completed?
If you list the ldap module after the eap module in the default configuration then the default config already does this.
You may also want to consider using the rlm_cache module.
I'm using TTLS+TLS. I can see that the eap { ok = return } automagically skips to the authentication section but the first two access-requests in the session cause it to return updated status so the ldap lookups are executed. I assume there isn't much I can do about that, right? I then have a separate problem with the inner-tunnel where the inner-eap never returns ok in the authorization section so it keeps on doing the ldap lookups. in the session I have it did 9 separate passes which together with the outer tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a single user login. There are also these warnings in inner-tunnel WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! but the inner tls session seems to be still progressing fine since the last warning is right before the last access-request which results in the access-accept for the user. Is there something I can do about the 9 lookups in the inner-tunnel server? I'll have a look at the rlm_cache as well but I'm just curious as to why is it happening. thanks Martin