LDAP timeouts during failure conditions

Phil Mayers p.mayers at imperial.ac.uk
Thu Jun 30 16:51:21 CEST 2011

On 29/06/11 18:48, John Dennis wrote:

> an observation). I kinda think it might be worthwhile to start with a
> clean slate, write down the requirements for the module and write it
> cleanly from scratch to match the requirements.

Maybe; but then you've got the problem of a) throwing away a lot of code 
and having to rewrite it, and having the time to rewrite it and b) 
ensuring you understand all the use-cases that people put it to, and 
either accounting for them or providing methods of doing the same.

I guess you could rename rlm_ldap to rlm_ldapold and create a new 
rlm_ldap with some "helpers" defined in policy.conf, but it seems like a 
lot of work. Additionally, given the confusion that reigns on the main 
list sometimes from old FAQs, I suspect it would cause havoc in terms of 

>> * it doesn't touch the eDir code - I don't have a way to test it
> Perhaps a bit off topic for this discussion, but I always thought it was
> dubious to have special code for a specific LDAP server in FreeRADIUS. I

Examining the code, it seems that eDir needs specific LDAP controls to 
extract the cleartext password; grumble. So I suspect it needs to stay.

> Side comment on server models:
> Sorry, forgot who said this in the last couple of days, but they
> endorsed the event loop driven asynchronous model. After working for

I think that was me ;o)

> many years on a variety of servers I too have come to believe event loop
> driven architectures are superior in contrast to forking children,
> spawning threads, etc. Anything we've written recently follows the event
> loop model. It's not perfect by any means but it gets rid of a lot of
> nasty problems and IMHO the resulting code simplier and easier to

Obviously I agree, but a lot of people don't. Some people hate the way 
the callback model breaks up the flow control for anything involving 
composite operations.

It also means you need protocol implementations that will let you take 
over the networking - drive the socket receive/transmit loop yourself, 
and feed data into/out of the protocol, generating protocol PDU 
callbacks back into your app. Sadly (from my point of view), those are 
very rare.

TBH I don't think it matters that much to anyone except the developers 
what the underlying processing model is - users interact with the module 
processing, string-expansion and unlang features, not the select() loop.

On that latter topic: I do wonder if we might start running into 
problems with fd_set size limitations now that "master" supports TCP 
sockets. Eduroam sites (e.g. us) using radius-over-TLS and DNS-based 
autodiscovery could, conceivably, have many tens of TCP connections open 
at any given time. But an epoll event core is probably pretty trivial, 
given that Alan has factored the existing loop cleanly.

More information about the Freeradius-Devel mailing list