Jason Frisvold wrote:
I recently set up a new freeradius installation for VPN authentication. This is my first foray into using the LDAP module and, while I am successfully authenticating, I want to make sure that my config is both correct and streamlined. I am seeing a few failed authentications due to loss of LDAP connections, so I'm also trying to identify where that problem exists.
Likely because the LDAP connections time out, and are closed.
The radius server is currently very low use, handling only a few requests an hour. This may increase later on, but I don't see it having to handle more than a few requests per minute. However, I would like to make sure those requests are handled efficiently and quickly.
Yes... that little traffic will result in LDAP connection timeouts.
In our users file, we have the following :
DEFAULT Auth-Type := Reject Fall-Through = 1
Huh? Why?
DEFAULT Ldap-Group == "cn=vpn,ou=groups,o=myorg", Auth-Type := Accept Fall-Through = 1
Do you really want to accept these users without checking their passwords? That's a *very* bad idea.
I was able to get this to work, but it appears that every group is scanned to find the user rather than merely using the memberOf attribute in the main LDAP record. Is there a way to trigger on that rather than scanning the groups?
The group membership configurations should ensure that it's using the memberOf attribute.
In the main radius config, can I remove all of the unused modules? I don't believe we're using PAP/CHAP/MS-CHAP at all, nor are we using the unix passwd file or EAP. Those can all be commented out to save time/resources, correct?
Why are you not checking passwords? That's a bad idea... If you don't use a module, you can delete all references to it. It will make some *minor* difference in performance. But if you're getting a few requests a minute, that difference will be miniscule. Alan DeKok.