ldap group lookup help
gouldwp at auburn.edu
Thu Sep 2 16:49:02 CEST 2010
We are having problems with ldap group lookups... Here's our
environment. Using Freeradius 2.1.8 to authenticate wireless users
against our AD servers and perform ldap group membership lookups. Using
WPA2-AES-PEAP-MSCHAPv2. When radiusd is started, initially the lookups
work fine and we see successful auth's in our radius logs. But, after
some period of time, we eventually begin to see bunches of "Invalid
user:" radius logs. The only thing that seems to fix this is to remove
the ldap group lookups from the freeradius config.
In our ldap module, the basedn we specify is dc=auburn,dc=edu (as we
have multiple user ou's). Not sure if that might be causing an issue or
One thing I have noticed is there are 3 ldap group lookups that each say
"rlm_ldap::ldap_groupcmp: User found in group xxxx". I have read posts
about configuring the ldap module to us the inner-tunnel - which I have
done. Is there anyway to reduce the number of group lookups to only
one? Not sure if the extra lookups are causing unneeded traffic which
may be causing issues?
Also, I see 10 Access-Request packets and about the same number of
Access-Challenge packets.. Is this normal? Just wondering if excessive
unneeded traffic is what is overloading the AD/ldap servers?
Any help or suggestions will be appreciated.
More information about the Freeradius-Users