Slow Ldap Authorization

Tyler Brady tbrady at stc-comm.com
Fri Jan 11 23:15:42 CET 2013 

Version 2.1.10

Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down?

LDAP Module:

ldap {
        #
        #  Note that this needs to match the name in the LDAP
        #  server certificate, if you're using ldaps.
        server = "172.28.64.10"
        identity = "CN=User Name,OU=Phoenix_Users,DC=company,DC=com"
        password = password
        basedn = "DC=company,DC=com"
        filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
        groupname_attribute = cn
        groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{contr$
        groupmembership_attribute = memberOf
        # base_filter = "(objectclass=radiusprofile)"

        #  How many connections to keep open to the LDAP server.
        #  This saves time over opening a new LDAP socket for
        #  every authentication request.
        ldap_connections_number = 5


Debug:

Ready to process requests.
rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85
                User-Name = "RadiusUser"
                User-Password = "password"
                NAS-Port = 3
                NAS-Port-Id = "tty3"
                NAS-Port-Type = Virtual
                Calling-Station-Id = "172.28.64.119"
                NAS-IP-Address = 172.28.64.3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RadiusUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
  [ldap] Entering ldap_groupcmp()
[files]    expand: DC=company,DC=com -> DC=company,DC=com
[files] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[files]    ... expanding second conditional
[files]    expand: %{User-Name} -> RadiusUser
[files]    expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] attempting LDAP reconnection
  [ldap] (re)connect to 172.28.64.10:389, authentication 0
  [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389
  [ldap] waiting for bind result ...
  [ldap] Bind was successful
  [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))
  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
  [ldap] ldap_release_conn: Release Id: 0
[files]    expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=company,DC=com, with filter (&(cn=Radius-Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))))
  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
  [ldap] object not found
  [ldap] ldap_release_conn: Release Id: 0
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*)
  [ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users)
rlm_ldap::ldap_groupcmp: User found in group Radius-Users
  [ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
[ldap] performing user authorization for RadiusUser
[ldap] WARNING: Deprecated conditional expansion ":-".  See "man unlang" for details
[ldap]    ... expanding second conditional
[ldap]    expand: %{User-Name} -> RadiusUser
[ldap]    expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))
[ldap]    expand: DC=company,DC=com -> DC=company,DC=com
  [ldap] ldap_get_conn: Checking Id: 0
  [ldap] ldap_get_conn: Got Id: 0
  [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))
  [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
  [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP.  Are you sure that the user is configured correctly?
[ldap] user RadiusUser authorized to use remote access
  [ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user.  Authentication may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
++? if (!control:Auth-Type) -> TRUE
++- entering if (!control:Auth-Type) {...}
+++[control] returns noop
++- if (!control:Auth-Type) returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth]       expand: --username=%{mschap:User-Name} -> --username=RadiusUser
[ntlm_auth]       expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 172.28.64.3 port 1645
                Service-Type = NAS-Prompt-User
                Cisco-AVPair = "shell:priv-lvl=15"
                Motorola-WIBB-Auth-Role = security-officer-role
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 98 with timestamp +17
Ready to process requests.


T. Brady

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130111/7dc2789c/attachment-0001.html>

More information about the Freeradius-Users mailing list