LDAP redundant with LDAP-Group within users file
Alexander Clouter
alex at digriz.org.uk
Tue Jun 28 21:15:41 CEST 2011
Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>
> Unfortunately, when you supply >1 LDAP server, this is handled
> internally by libldap, and libldap tries the LDAP servers in series, not
> in parallel. So there will always be some outage.
>
> FreeRADIUS does not currently have connection pools, and they're a bit
> hard with LDAP because libldap doesn't have a great API.
>
The API is good enough.
I keep meaning to do this for the sql module (well, postgresql) but it
can be done for libldap too. Open the socket directly in freeradius,
using SOCK_NONBLOCK -> connect() -> SO_RCVTIMEO/SO_SNDTIMEO and then
pass that all to ldap_init_fd(). connect() can now catch timeouts with
select() and it means we also catch networking errors rather than just
server/client errors.
I await Alan's "show me the money^Wpatch"...well maybe I'll find some
time next week. Cannot have Imperial stealing the whole show :)
Cheers
--
Alexander Clouter
.sigmonster says: You will have many recoverable tape errors.
More information about the Freeradius-Users
mailing list