Tweaking LDAP parameters
David Hartburn
D.J.Hartburn at kent.ac.uk
Wed Apr 13 15:10:14 CEST 2016
Hi,
Sorry to waste time, but do you mean the full log from doing a 'radius
-X'? I want to clarify because on a production server that will be a
huge log. I am happy to produce it though.
> Set them the same as the thread pools.
Do you mean make 'spare = ${thread[pool].max_servers}'?
Does the default of 32 sound like a reasonable number of max_servers in
radius.conf on a busy site or do a lot of people go higher?
Dave
On 13/04/16 12:58, Alan DeKok wrote:
> On Apr 13, 2016, at 5:12 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
>> Yesterday, I moved a fair chunk of our on-site wireless to FreeRADIUS as we migrate from our NPS servers. I have had a number of complaints of users being forced to reauthenticate (prompted for their password again) on odd occasions throughout the day. Logs show a login incorrect:
>>
>> Tue Apr 12 15:06:47 2016 : Auth: (264236) Login OK: [xxx at kent.ac.uk] (from client cwlc-tlb port 2 cli a8:66:7f:12:a9:b9)
>
> Those logs are useless. Post the debug log as suggested in the FAQ, "man" page, web pages, and daily on this list.
>
> Posting OTHER logs is just wasting everyones time.
>
>> It looks like it is rejecting the auth because it can not make the LDAP connection to validate the user.
>
> It looks like the *real* reason why the user is disconnected is in the debug logs.
>
>> Two questions on this. First, is it possible to allow clients a couple of attempts to retry their authentication before completely rejecting and forcing them to enter their password again?
>
> No. The authentication process is driven entirely by the client. There's no way for the RADIUS server to push configuration to the client.
>
>> Second, are there any rules of thumb regarding setting min, max and spare for LDAP connections? At the moment I have:
>
>
> Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
More information about the Freeradius-Users
mailing list