time delay in ntlm_auth?
Matthew Newton
mcn4 at leicester.ac.uk
Wed Oct 16 15:15:03 CEST 2013
Hi,
On Wed, Oct 16, 2013 at 10:00:45AM +0100, A.L.M.Buxey at lboro.ac.uk wrote:
> > I've just sent a pull request that adds an option 'timeout' to
> > rlm_exec and 'ntlm_auth_timeout' to rlm_mschap. Defaults are both
> > 10s (the current setting). The ntlm_auth timeout can only be
> > reduced... I can't imagine a correctly functioning AD domain where
> > a successful auth takes >10s.
>
> how does this sort of thing interplay with those people who are
> using the MSCHAP password retry feature - which would, I believe,
> cause the module itself not to return until the user has finally
> put in a succesful password - which might be longer than eg 30s
I don't think this will be an issue - that will be eap/radius
timers? The current hardcoded timeout for an exec is 10 seconds,
so ntlm_auth could never be running for longer than that or it
will get killed off.
I've not looked at it, but I assume any password retries will
re-run ntlm_auth each time (it can't pass a new password to an
existing one, as it's passed on the command line - which I guess
the pipe thing is all about fixing).
Cheers,
Matthew
--
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>
More information about the Freeradius-Users
mailing list