LDAP, old TCP connections, and retry
Alan DeKok
aland at deployingradius.com
Wed Mar 10 08:34:09 CET 2010
Justin Steward wrote:
> Question 1:
> The LDAP server which the radius server attempts to connect to is
> located behind a firewall which kills TCP connections that have been
> idle for 30 minutes. FR then tries to do a lookup using a connection
> that has been open and idle for half an hour or more, and the firewall
> drops the now invalid connection.
I fail to understand why people do this. Firewall two critical
components, and then *increase* failure by having the FW break TCP
connections.
> How can I force an idle timeout on LDAP connections in FR?
Change the source code in rlm_ldap.
> Question 2:
>>From the information I have been given, it appears that if the
> connection times out, LDAP does not attempt to retry.
>
> Is there a way to force FR to make 1 or 2 attempts at retrying the
> connection before giving up on LDAP?
Change the source code.
> The current situation is causing many headaches trying to log in, and
> the client is reluctant to relax their firewall for a number of
> reasons.
<shrug> They chose to destroy their own network. I'm not surprised
they're hesitant to fix it.
Alan DeKok.
More information about the Freeradius-Users
mailing list