3.1 and LDAP

[Arran Cudbard-Bell]

> On 1 Dec 2015, at 03:34, Tynan Young <tynany at gmail.com> wrote:
> 
> Hi,
> 
> I've got freeradius 3.1 up and running (taken from the git repo on the
> 25th Nov) on Ubuntu 14.04 and am having weird issues with LDAP. Hoping
> someone may be able to shed some light.
> 
> I'm using freeradius for dot1x authentication, both wireless
> (peap/mschapv2) and wired via NTLM auth. The freeradius LDAP module is
> used to look up Active Directory group membership and based on
> membership returns the relevant Tunnel-Private-Group-Id.
> 
> The issue I'm having is that the LDAP lookup will work most of the
> time, but will frequently stop working for 5-25 minutes. It will start
> working again without any changes being made. To isolate LDAP
> user/server issues I've tried using different user accounts and 2012
> AD servers.

CN=ldapradiusauth,CN=users,DC=in,DC=testdomain to
ldap://dc1.in.testdomain:389 ldap://dc2.in.testdomain:389 failed:
Timed out while waiting for server to respond
Unable to chase referral
"ldap://DomainDnsZones.in.testdomain/DC=DomainDnsZones,DC=in,DC=testdomain"
(-5: Timed out)

Interesting.

So it looks like it follows the complete referral chain, but then the search operation times out.  It may be that timeouts that were not being enforced correctly in v3.0.x are now enforced in v3.1.x, I did fix a fair few of those.

To know for sure, it'd be good to get the debug output with timestampsand maybe a pcap showing what's actually going on.

It really just seems like the LDAP server isn't responding quickly enough.

-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 872 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20151201/89220c9b/attachment.sig>