Slow Ldap Authorization
Version 2.1.10 Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down? LDAP Module: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "172.28.64.10" identity = "CN=User Name,OU=Phoenix_Users,DC=company,DC=com" password = password basedn = "DC=company,DC=com" filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{contr$ groupmembership_attribute = memberOf # base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85 User-Name = "RadiusUser" User-Password = "password" NAS-Port = 3 NAS-Port-Id = "tty3" NAS-Port-Type = Virtual Calling-Station-Id = "172.28.64.119" NAS-IP-Address = 172.28.64.3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "RadiusUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: DC=company,DC=com -> DC=company,DC=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> RadiusUser [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.28.64.10:389, authentication 0 [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=company,DC=com, with filter (&(cn=Radius-Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*) [ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users) rlm_ldap::ldap_groupcmp: User found in group Radius-Users [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok [ldap] performing user authorization for RadiusUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> RadiusUser [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser)) [ldap] expand: DC=company,DC=com -> DC=company,DC=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user RadiusUser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> TRUE ++? if (!control:Auth-Type) -> TRUE ++- entering if (!control:Auth-Type) {...} +++[control] returns noop ++- if (!control:Auth-Type) returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=RadiusUser [ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 172.28.64.3 port 1645 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Motorola-WIBB-Auth-Role = security-officer-role Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 98 with timestamp +17 Ready to process requests. T. Brady
On 11 Jan 2013, at 22:15, Tyler Brady <tbrady@stc-comm.com> wrote:
Version 2.1.10
Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down?
No that's not normal, it should be under 100ms if not faster. Uh it's following three referrals having to establish a new connection each time, that may be why it's so slow. You should also check that you have the appropriate indexes configured. -Arran
Can someone help point me in the right direction? LDAP is taking too long to authorize due to something in my configuration. Keep in mind that I am about as newb as you can get when it comes to this stuff. I apologize for my ignorance. Any help would be greatly appreciated. [ldap] Bind was successful [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 Should it rebind three times to different ldap URL? If not, how do I change this? I have tried pretty much every BaseDN combination possible. Why is it adding "2c and 3d," here >> " ...)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany... "
On 14 Jan 2013, at 23:35, Tyler Brady <tbrady@stc-comm.com> wrote:
Can someone help point me in the right direction? LDAP is taking too long to authorize due to something in my configuration. Keep in mind that I am about as newb as you can get when it comes to this stuff. I apologize for my ignorance. Any help would be greatly appreciated.
[ldap] Bind was successful [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0
Should it rebind three times to different ldap URL? If not, how do I change this? I have tried pretty much every BaseDN combination possible.
Why is it adding “2c and 3d,” here >> “ …)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany... ”
Look. This is absolutely not a RADIUS issue, you need to buy a book on LDAP and read up on referals, and escaping special characters. Anyone involved in AAA needs to know about these fundimental protocols, spoonfeeding you information will not help your understanding of them. -Arran
Look. This is absolutely not a RADIUS issue, you need to buy a book on LDAP and read up on referals, and escaping special characters. Anyone involved in AAA needs to know about these fundimental protocols, spoonfeeding you information will not help your understanding of them.
-Arran
Fair enough. I appreciate the response. Thank you, T. Brady
On 01/11/2013 10:15 PM, Tyler Brady wrote:
basedn = "DC=company,DC=com"
Try setting a more specific (longer) base DN. As Arran has pointed out, you're getting LDAP referrals. Active Directory likes to do this if you query the LDAP tree from a point "above" >1 database, even though they're all available from the same server. Preferably you'll have an OU below which are only objects, not more AD LDAP databases (including ADs own "internal" DBs, "CN=Configuration" and the like). If you're not familiar with the steps involved to get there, you'll need some assistance I'm afraid - and this list can't really provide it, that being an AD-specific issue.
On 01/15/2013 07:45 AM, Phil Mayers wrote:
On 01/11/2013 10:15 PM, Tyler Brady wrote:
basedn = "DC=company,DC=com"
Try setting a more specific (longer) base DN. As Arran has pointed out, you're getting LDAP referrals. Active Directory likes to do this if you query the LDAP tree from a point "above" >1 database, even though they're all available from the same server.
Sorry, I've just realised another thing you can try - disable referral chasing. This is an option on the ldap module - try this: ldap { ... chase_referrals = no } ...this may be more workable than changing base DN, if I'm inferring your AD layout correctly ("everything under top-level").
participants (3)
-
Arran Cudbard-Bell -
Phil Mayers -
Tyler Brady