Hi all, I recently set up a new freeradius installation for VPN authentication. This is my first foray into using the LDAP module and, while I am successfully authenticating, I want to make sure that my config is both correct and streamlined. I am seeing a few failed authentications due to loss of LDAP connections, so I'm also trying to identify where that problem exists. The radius server is currently very low use, handling only a few requests an hour. This may increase later on, but I don't see it having to handle more than a few requests per minute. However, I would like to make sure those requests are handled efficiently and quickly. The current radius ldap config looks like this : modules { ldap { server = "ldap.example.com" port = 636 identity = "cn=manager,o=MyOrg" password = MySuperSecretPassword basedn = "o=MyOrg" filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" start_tls = no access_attr = "memberOf" dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 groupname_attribute = cn groupmembership_filter = "(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))" groupmembership_attribute = memberOf net_timeout = 1 timeout = 8 timelimit = 3 } } In our users file, we have the following : DEFAULT Auth-Type := Reject Fall-Through = 1 DEFAULT Ldap-Group == "cn=vpn,ou=groups,o=myorg", Auth-Type := Accept Fall-Through = 1 DEFAULT Ldap-Group == "cn=admin,ou=groups,o=myorg" Class = ADMIN, Fall-Through = 1 DEFAULT Ldap-Group == "cn=user,ou=groups,o=myorg" Class = USER, Fall-Through = 1 Essentially, we want to assign a user to a specific class based on what group they are in, with some groups superseding others. Our LDAP entries have multiple memberOf attributes that list the groups a user is in, as well as groups that list the members. I was able to get this to work, but it appears that every group is scanned to find the user rather than merely using the memberOf attribute in the main LDAP record. Is there a way to trigger on that rather than scanning the groups? Note: The dictionary mapping file (ldap.attrs) is the default one, I have made no changes. With respect to the users file, I believe I can remove the Fall-Through parameter there for all but the vpn LDAP group. That would cut down, somewhat, on the group scanning. In the main radius config, can I remove all of the unused modules? I don't believe we're using PAP/CHAP/MS-CHAP at all, nor are we using the unix passwd file or EAP. Those can all be commented out to save time/resources, correct? And finally, can someone give me a few hints on how to identify the cause of the "LDAP connection lost" messages we see? They seem to be intermittent and I am unable to find a cause for them. The network is stable and there is no loss of connectivity at the lower layers. I believe radius is sending keepalives, correct, so a loss of connectivity could indicate keepalives being lost? Any help is appreciated! Thanks! If there's any additional information I can provide that would help, please let me know. -- --------------------------- Jason Frisvold xenophage0@gmail.com --------------------------- "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams