how to limit the repeating ldap lookups

Martin Kraus lists_mk at wujiman.net
Mon Aug 26 18:08:35 CEST 2013


On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
> > Is it possible to limit the repeating ldap lookups that happen during mschap
> > and tls negotiations? Like having an attribute that I could test for which
> > would tell me that the negotiation is completed?
> 
> If you list the ldap module after the eap module in the default configuration then the default config already does this.
> 
> You may also want to consider using the rlm_cache module.

I'm using TTLS+TLS.

I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed. 
I assume there isn't much I can do about that, right?

I then have a separate problem with the inner-tunnel where the inner-eap never
returns ok in the authorization section so it keeps on doing the ldap lookups.
in the session I have it did 9 separate passes which together with the outer
tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a
single user login.

There are also these warnings in inner-tunnel

WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

but the inner tls session seems to be still progressing fine since the last
warning is right before the last access-request which results in the
access-accept for the user. 

Is there something I can do about the 9 lookups in the inner-tunnel server?
I'll have a look at the rlm_cache as well but I'm just curious as to why is it
happening.

thanks
Martin


More information about the Freeradius-Users mailing list