Slow Ldap Authorization
Tyler Brady
tbrady at stc-comm.com
Fri Jan 11 23:15:42 CET 2013
Version 2.1.10
Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down?
LDAP Module:
ldap {
#
# Note that this needs to match the name in the LDAP
# server certificate, if you're using ldaps.
server = "172.28.64.10"
identity = "CN=User Name,OU=Phoenix_Users,DC=company,DC=com"
password = password
basedn = "DC=company,DC=com"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))"
groupname_attribute = cn
groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{contr$
groupmembership_attribute = memberOf
# base_filter = "(objectclass=radiusprofile)"
# How many connections to keep open to the LDAP server.
# This saves time over opening a new LDAP socket for
# every authentication request.
ldap_connections_number = 5
Debug:
Ready to process requests.
rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85
User-Name = "RadiusUser"
User-Password = "password"
NAS-Port = 3
NAS-Port-Id = "tty3"
NAS-Port-Type = Virtual
Calling-Station-Id = "172.28.64.119"
NAS-IP-Address = 172.28.64.3
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "RadiusUser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[ldap] Entering ldap_groupcmp()
[files] expand: DC=company,DC=com -> DC=company,DC=com
[files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[files] ... expanding second conditional
[files] expand: %{User-Name} -> RadiusUser
[files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to 172.28.64.10:389, authentication 0
[ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))
[ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
[ldap] ldap_release_conn: Release Id: 0
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in DC=company,DC=com, with filter (&(cn=Radius-Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))))
[ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
[ldap] object not found
[ldap] ldap_release_conn: Release Id: 0
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*)
[ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users)
rlm_ldap::ldap_groupcmp: User found in group Radius-Users
[ldap] ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 176
++[files] returns ok
[ldap] performing user authorization for RadiusUser
[ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} -> RadiusUser
[ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser))
[ldap] expand: DC=company,DC=com -> DC=company,DC=com
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser))
[ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com
[ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com
[ldap] No default NMAS login sequence
[ldap] looking for check items in directory...
[ldap] looking for reply items in directory...
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
[ldap] user RadiusUser authorized to use remote access
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.
++[pap] returns noop
++? if (!control:Auth-Type)
? Evaluating !(control:Auth-Type) -> TRUE
++? if (!control:Auth-Type) -> TRUE
++- entering if (!control:Auth-Type) {...}
+++[control] returns noop
++- if (!control:Auth-Type) returns noop
Found Auth-Type = ntlm_auth
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=RadiusUser
[ntlm_auth] expand: --password=%{User-Password} -> --password=password
Exec-Program output: NT_STATUS_OK: Success (0x0)
Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0)
Exec-Program: returned: 0
++[ntlm_auth] returns ok
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 98 to 172.28.64.3 port 1645
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Motorola-WIBB-Auth-Role = security-officer-role
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 98 with timestamp +17
Ready to process requests.
T. Brady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130111/7dc2789c/attachment-0001.html>
More information about the Freeradius-Users
mailing list