new rlm_sql connection pool logic

Phil Mayers p.mayers at imperial.ac.uk
Mon Oct 17 20:35:33 CEST 2011


On 10/17/2011 06:58 PM, Alan Buxey wrote:
> Hi,
>
>>     Sounds nice! Out of curiosity: any plans to make LDAP connections
>>     persistent and pooled as well? one of my customers has very high numbers
>>     of LDAP calls in authorize, and needs to do LDAPS. The TLS session setup
>>     load is very uncomfortable right now.
>
> why do they have a very high number of calls to LDAP?  Are they calling LDAP
> in the outerID of EAP requests?  are they calling LDAP for non local requests?

N.B. as per the discussion on the Janet-roaming mailing list a while 
back, and on this list a bit later - if you're running PEAP/MS-CHAP, 
even running LDAP on the inner tunnel will, currently, incur 3 LDAP 
lookups, one for each pass through the inner tunnel - EAP-identity, 
EAP-MSCHAP, EAP-success.

Once I've failed my exam tomorrow (haha! just kidding... I hope) I will 
have some free time, and will revisit the EAP code changes needed to 
make this not happen.

Or you could use the vilest unlang ever devised[1]

# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
	noop
}
else {
   # rest if your inner EAP goes here
}

BWahahahaha!

Cheers,
Phil

[1] Unlang may not actually be the vilest ever devised



More information about the Freeradius-Devel mailing list