LDAP redundant with LDAP-Group within users file

Phil Mayers p.mayers at imperial.ac.uk
Tue Jun 28 22:23:02 CEST 2011


On 06/28/2011 08:15 PM, Alexander Clouter wrote:

>
> I keep meaning to do this for the sql module (well, postgresql) but it
> can be done for libldap too.  Open the socket directly in freeradius,
> using SOCK_NONBLOCK ->  connect() ->  SO_RCVTIMEO/SO_SNDTIMEO and then
> pass that all to ldap_init_fd().  connect() can now catch timeouts with
> select() and it means we also catch networking errors rather than just
> server/client errors.

ldap_init_fd seems to be a relatively new API. It's absent for example 
in the OpenLDAP 2.3.27 libs that come with RHEL5. So it's not surprising 
there's nothing like this in the code.

It's also damn tedious because you get into all the "joys" of parsing 
the LDAP url, calling getaddrinfo() to resolve it properly, looping over 
the results, deciding whether to fork off connections in "happy 
eyeballs" mode 300 milliseconds apart etc. etc.

It's a mystery to me why there isn't an "ldap_open_s" and an 
"ldap_open", the latter doing what you suggest.

Anyway, certainly it's doable. But as per my discussion in other fora, 
it's relatively useless if you do this "inline" with the radius request. 
The whole point is to pull up a working connection, and until you've got 
one, fast-fail the module so "redundant {}" can do it's work. That means 
a worker thread.



More information about the Freeradius-Users mailing list