Strange problems in large proxy setup

Kostas Zorbadelos kzorba at otenet.gr
Fri Feb 23 16:06:04 CET 2007


On Fri, Feb 23, 2007 at 02:49:57PM +0000, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
> 
> > active sessions and if he is allowed to have a session the request is
> > proxied to the FUNK server that performs the actual authentication. So
> > the setup is a classical proxy setup. This policy decision of whether
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> whoah. steady on there. this is not a classical proxy setup. in a classical
> proxy setup ALL autentication is handled by a 3rd party. in this case you
> are doing an LDAP authorization on the FreeRADIUS box. 

OK you have a point there, my wording is incorrect. Yes, we do make an
authorization decision in the freeradius box. 

> the fact that this
> works on testing but not in high-volume production points a marked finger
> towards this LDAP process. 
> 

The 'ldap process' you refer to is actually rlm_ldap and a tiny
module of ours. However, we have never
observed any issues with them, no error messages or any other logging
messages. I believe I have a valid and quite simple (for my purposes
of course) configuration. I make the authorization decision and if all
OK, I proxy the request, otherwise I reject the request without
proxying it. 

radiusd -X confirms that the configuration is correct, however I have
this problem behaviour in large scale. My initial suspitions go to the
proxying code to be honest, but I need to take a good look to grasp
it.  

> alan

Kostas



More information about the Freeradius-Users mailing list