how to limit the repeating ldap lookups

Martin Kraus lists_mk at
Wed Aug 28 00:20:12 CEST 2013

On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
>   Again, look at the debug log to see what's happening.  *WHY* are you
> doing LDAP lookups at all?  Can you not delay them?

Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what the default freeradius configuration offers.

>   And rlm_cache should help a lot, too.

I'm stuck with 2.1.10 on ubuntu:-(

Anyway I managed to filter out most of the redundant ldap lookups. the only thing I'm
stuck with are lookups during TLS negotiation either in the default server for
EAP-TLS or in the inner-tunnel server for EAP-TTLS/EAP-TLS. The handshake
takes 8 access-requests and the only way I can see to filter it out is to
somehow findout if the EAP-Message AVPs contain something to tell me whether
it's about to be done or not.

for EAP-TTLS and PEAP the eap module in authorize section returns "ok" which
jumps out of the authorize section so the eap module in the authentication
section can process it. But for EAP-TLS it returns "handled" so the whole
authorize section gets parsed. 


More information about the Freeradius-Users mailing list