Degradation of service when authentication fails with Windows AD
Antonio Alberola
aalberola at gtt.es
Thu Feb 7 10:51:52 CET 2013
> The PAM APIs are synchronous, and don't offer timeout options.
> It's not possible to timeout a PAM call; FreeRADIUS is entirely
> at the mercy of PAM.
>
> Don't use PAM, it's not suitable for your needs. Use "ntlm_auth",
> and FreeRADIUS can timeout the call.
We migrated to PAM when the problems started. Previously we used "ntlm_auth"
and the problem appeared more frequently. I also recommended using
PAM-Kerberos because they said it was better integrated with Windows.
Is "ntlm_auth" the best way to authenticate with Windows AD? We have several
domains to authenticate and need stability in case one of them does not
respond.
More information about the Freeradius-Users
mailing list