On Fri, Feb 23, 2007 at 02:49:57PM +0000, A.L.M.Buxey@lboro.ac.uk wrote:
Hi,
active sessions and if he is allowed to have a session the request is proxied to the FUNK server that performs the actual authentication. So the setup is a classical proxy setup. This policy decision of whether ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
whoah. steady on there. this is not a classical proxy setup. in a classical proxy setup ALL autentication is handled by a 3rd party. in this case you are doing an LDAP authorization on the FreeRADIUS box.
OK you have a point there, my wording is incorrect. Yes, we do make an authorization decision in the freeradius box.
the fact that this works on testing but not in high-volume production points a marked finger towards this LDAP process.
The 'ldap process' you refer to is actually rlm_ldap and a tiny module of ours. However, we have never observed any issues with them, no error messages or any other logging messages. I believe I have a valid and quite simple (for my purposes of course) configuration. I make the authorization decision and if all OK, I proxy the request, otherwise I reject the request without proxying it. radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it.
alan
Kostas