rlm_ldap & TCP KeepAlive
fred.maison at gmail.com
Mon May 3 13:43:51 CEST 2010
Le vendredi 30 avril 2010 à 14:19 +0200, Fred MAISON a écrit :
> > Message: 4
> > Date: Fri, 30 Apr 2010 11:56:25 +0200
> > From: Alan DeKok <aland at deployingradius.com>
> > Subject: Re: rlm_ldap & TCP KeepAlive
> > To: FreeRadius developers mailing list
> > <freeradius-devel at lists.freeradius.org>
> > Message-ID: <4BDAA949.3020100 at deployingradius.com>
> > Content-Type: text/plain; charset=ISO-8859-1
> > Fred MAISON wrote:
> > > Some stateful equipments like firewall or load-balancers tends to drop
> > > long-time idle tcp session to protect their session tables.
> > > To keep idle tcp session active and avoid this kind of deconnections, I
> > > found it could be useful to be able to configure TCP KeepAlive from
> > > rlm_ldap config file, exposing TCP KeepAlive options available in
> > > Openldap libraries to rlm_ldap config file :
> > > LDAP_OPT_X_KEEPALIVE_IDLE, LDAP_OPT_X_KEEPALIVE_PROBES,
> > > LDAP_OPT_X_KEEPALIVE_INTERVAL
> > Yup.
> > > Unfortunately, as Redhat released his 5.5, I don't have anymore access
> > > to jdennis binary repository, so I am in trouble to recompile 2.1.8 for
> > > CentOS 5.4 on x86_64.
> > > I have tried to recompile freeradius 2.1.8 with this patch from
> > > fedoraproject cvs sources, but I don't know how to integrate this patch
> > > in the source tree.
> > Use the "patch" program:
> > $ hg diff > patch
> > $ cd src/modules/rlm_ldap
> > $ patch -p1 < ../../patch
> > Then build it.
> > This can be done after the "configure" stage.
> > > Once validated, could this kind of code be integrated in a future
> > > release ?
> > Yes. John has a number of LDAP patches pending.
> > Alan DeKok.
> I am interested with John's patches.
> Where are they available ?
> I am also interested with Alexander Coulter patches you talked about in
> a post dated 28 Jan 2010 17:36:46 +0100 regarding ldap redundancy &
> Ldap-Group checkItem in user file (message
> 4B61BD1E.1090005 at deployingradius.com)
> As you talked about integration of those patches in 2.2.0, How can I
> access freeradius 2.2.x cvs ?
> I tried cvs -d :pserver:anoncvs at cvs.freeradius.org:/source checkout
> radiusd, but the version retrieved there seems to be 2.0.6 ...
> Best regards,
> Fred MAISON
I have successfully tested this weekend my ldap keepalive patch for
Among some other issues, those options are only available since openldap
library version 2.4.18, so I have enclosed all my code's sections with
#ifdef LDAP_OPT_X_KEEPALIVE_IDLE ..... #endif to avoid build problem if
only older openldap version not supporting those settings is there.
I tested in a VMWare under Debian Squeeze (32bits) and CentOS 5.4
(32bits) , after a manual build, install, ldd ... of the last stable
openldap source tree, as I don't have enought RPM and SRPMS knowledge to
cleanly rebuild all dependencies for both openldap libraries and
I have verified that configured keepalive are correctly taken into
account, observing TCP KeepAlive packets at configured interval on ldap
sockets with wireshark.
I also checked that keepalive_idle, keepalive_probes and
keepalive_interval parameter are correctly applied if configured in
rlm_ldap module configuration files.
As a resume,
* this patch correctly protect from unsollicitated disconnections by
firewalls or load-balancers traversed by ldap sessions when idle for
some time ...
* As most majors linux distros does not have 2.4.18+ openldap library
version yet, this can be a problem to cleanly use this patch, as this
means it's necessary to also rebuild openldap 2.4.18+ library from
source tarball ...
More information about the Freeradius-Devel