Reducing DNS lookups
Michael Ströder
michael at stroeder.com
Tue Feb 21 18:45:01 CET 2017
Matthew Newton wrote:
> On Tue, Feb 21, 2017 at 07:48:25AM -0500, Alan DeKok wrote:
>> On Feb 21, 2017, at 7:10 AM, David Hartburn <D.J.Hartburn at kent.ac.uk> wrote:
>>> For our LDAP queries, we have specified the forest DNS name as
>>> the LDAP server, so that we achieve via DNS a random
>>> distribution of queries against our AD servers. Previously we
>>> had hammered the first server on the list.
>>
>> But the underlying problem is likely that your AD system is
>> returning redirects. A LOT of them.
>
> If the data is in the Global Catalogue, point FreeRADIUS at port
> 3269 on the DCs instead of 636. It should stop the referrals, and
> therefore also speed up LDAP searches.
Since chasing LDAPv3 referrals is a broken concept I always recommend to set
chase_referrals = no
IMHO it should be the default in the FreeRADIUS sample config.
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20170221/4bb3b66c/attachment.bin>
More information about the Freeradius-Users
mailing list