Load balance LDAP servers for group checking
highl1 at gmail.com
Mon May 15 10:58:26 CEST 2017
Thanks. This message got lost in the chain, if anyone can maybe verify what
I am doing is right:
I have this in my ldap module config
# seconds to wait for LDAP query to finish. default: 20
timeout = 4
# seconds LDAP server has to process the query (server-side
# time limit). default: 20
# LDAP_OPT_TIMELIMIT is set to this value.
timelimit = 3
# seconds to wait for response of the server. (network
# failures) default: 10
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
net_timeout = 1
And I am almost positve that I didn't change this one. Does this means I am
only allowing 4 seconds for LDAP query to finish, and only 3 for LDAP to
process? Also, timeout is just 1 second, which seems pretty low.
Guess that if my settings here are wrong, I can fix my problem just by
setting bigger values, since the LDAP is not down
Thanks for all your help!
On Fri, May 12, 2017 at 6:52 PM, Alan DeKok <aland at deployingradius.com>
> On May 12, 2017, at 12:19 PM, Petar Marinkovic <highl1 at gmail.com> wrote:
> > Well, LDAP is Windows AD, and they're constantly up, I more think it's a
> > issue from the KVM running freeradius VM, that for some reason networking
> > is lost, or the switches.
> That's possible, too.
> > I would get failed authentications somewhere else
> > as well, not just through freeradius with group AD check.
> Maybe. But with v2, FreeRADIUS is probably doing more LDAP queries than
> anything else.
> > At v3, how long are the group checks cached? Is there a setting it can be
> > defined or ? Also, does that mean at the next re-authentication request,
> > will check the MAC address and certificate, but will use the cached group
> > value?
> No. Each request is independent of others.
> When it does the first LDAP group check, it caches *all* of the groups.
> So that subsequent group checks for the same request use the cached entries.
> Alan DeKok.
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
More information about the Freeradius-Users