new rlm_sql connection pool logic
Phil Mayers
p.mayers at imperial.ac.uk
Mon Oct 17 20:35:33 CEST 2011
On 10/17/2011 06:58 PM, Alan Buxey wrote:
> Hi,
>
>> Sounds nice! Out of curiosity: any plans to make LDAP connections
>> persistent and pooled as well? one of my customers has very high numbers
>> of LDAP calls in authorize, and needs to do LDAPS. The TLS session setup
>> load is very uncomfortable right now.
>
> why do they have a very high number of calls to LDAP? Are they calling LDAP
> in the outerID of EAP requests? are they calling LDAP for non local requests?
N.B. as per the discussion on the Janet-roaming mailing list a while
back, and on this list a bit later - if you're running PEAP/MS-CHAP,
even running LDAP on the inner tunnel will, currently, incur 3 LDAP
lookups, one for each pass through the inner tunnel - EAP-identity,
EAP-MSCHAP, EAP-success.
Once I've failed my exam tomorrow (haha! just kidding... I hope) I will
have some free time, and will revisit the EAP code changes needed to
make this not happen.
Or you could use the vilest unlang ever devised[1]
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message =~ /^0x02..00061a..$/)) {
noop
}
else {
# rest if your inner EAP goes here
}
BWahahahaha!
Cheers,
Phil
[1] Unlang may not actually be the vilest ever devised
More information about the Freeradius-Devel
mailing list