how to limit the repeating ldap lookups

Alan DeKok aland at
Tue Aug 27 23:20:32 CEST 2013

Martin Kraus wrote:
> I'm using TTLS+TLS.

  Then what are you looking up in ldap?

> I can see that the eap { ok = return } automagically skips to the
> authentication section but the first two access-requests in the session cause
> it to return updated status so the ldap lookups are executed. 
> I assume there isn't much I can do about that, right?

  Sure.  You can look at the debug output, see what's different between
packets N and N+1, and use those differences to selectively run ldap.

> I then have a separate problem with the inner-tunnel where the inner-eap never
> returns ok in the authorization section so it keeps on doing the ldap lookups.
> in the session I have it did 9 separate passes which together with the outer
> tunnel is 11 ldap passes which in my case is more then 30 ldap lookups for a
> single user login.

  Again, look at the debug output.

> There are also these warnings in inner-tunnel
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0xfa098d01f80a8033 did not finish!
> WARNING: !! Please read
> WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> but the inner tls session seems to be still progressing fine since the last
> warning is right before the last access-request which results in the
> access-accept for the user. 

  Read it again.  The ONLY time that message is produced is when the EAP
session doesn't finish.  There are likely 2-3 failed attempts before one
success.  If you only look at the succes...

> Is there something I can do about the 9 lookups in the inner-tunnel server?
> I'll have a look at the rlm_cache as well but I'm just curious as to why is it
> happening.

  Because that's what you told it to do.  The server is pretty dumb that

  Again, look at the debug log to see what's happening.  *WHY* are you
doing LDAP lookups at all?  Can you not delay them?

  And rlm_cache should help a lot, too.

  Alan DeKok.

More information about the Freeradius-Users mailing list