Running ntlm_auth as a connection pool

Arnab Roy arnabroy at mail.com
Thu Aug 31 12:26:32 CEST 2017 

   Hi Alan,

   Thanks for the suggestion I am with you on using native ldap, I guest I
   can just do an on the fly ldap xlat to get the correct username info.
   However, I forgot to mention another challenge! Our winbind socket is
   sitting somewhere else as we run multiple instances of winbind
   :( ntlm_auth allows me to specify where it is. Cant see an option when
   direct winbind even it means having to do some local patching that
   would do. Just need to know how I can pass this to Freeradius ?

   Thanks again for your help.

   Arnab

   Sent: Thursday, August 31, 2017 at 11:18 AM
   From: "Alan Buxey" <alan.buxey at gmail.com>
   To: "FreeRadius users mailing list"
   <freeradius-users at lists.freeradius.org>
   Subject: Re: Running ntlm_auth as a connection pool
   Easy. Use the native winbind module in latest 3.0.x series. That runs
   as a
   connection pool and is orders of magnitudes faster.
   Secondly, bash script, calling LD and p and doing things? Terrible for
   performance. Use the native ldap functionality in FR to get that value
   out
   of ldap (create a new LDAP module if needed to separate functions). Use
   unlang to collect the value and assign it to temporary internal
   attribute
   value. Then use that value in your winbind call. All native, all
   threaded,
   all fast!
   alan
   On 31 Aug 2017 11:11 am, "Arnab Roy" <arnabroy at mail.com> wrote:
   > Hi All,
   >
   > I am seeing some performance challenges with ntlm_auth (Currently
   > running 3.0.15). My setup is pretty non-standard so I will apologise
   > for this beforehand. But my hands are tied.
   >
   > Our mschap module actually calls a shell script which than calls
   > ntlm_auth (we actually need to perform an ldap lookup before
   obtaining
   > the samaccount name to pass to ntlm_auth), as expected this throws up
   > some challenges under load.
   >
   > What I would like to know if its possible to do anything to improve
   > performance under this circumstances. I know the direct winbind
   > mode would have been great but the ldap lookup is critical for things
   > to work our end.
   >
   > Mr Google returned some suggestions that their was an option to run
   > ntlm_auth as a connection pool , is it still there / was it dropped
   in
   > favour of direct winbind connectivity.
   >
   > Any suggestions welcome.
   >
   > Many Thanks
   > Arnab
   > -
   > List info/subscribe/unsubscribe? See [1]http://www.freeradius.org/
   > list/users.html
   -
   List info/subscribe/unsubscribe? See
   [2]http://www.freeradius.org/list/users.html

References

   1. http://www.freeradius.org/
   2. http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list