On Fri, Feb 23, 2007 at 02:49:57PM +0000, [EMAIL PROTECTED] wrote: > Hi, > > > active sessions and if he is allowed to have a session the request is > > proxied to the FUNK server that performs the actual authentication. So > > the setup is a classical proxy setup. This policy decision of whether > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > whoah. steady on there. this is not a classical proxy setup. in a classical > proxy setup ALL autentication is handled by a 3rd party. in this case you > are doing an LDAP authorization on the FreeRADIUS box.
OK you have a point there, my wording is incorrect. Yes, we do make an authorization decision in the freeradius box. > the fact that this > works on testing but not in high-volume production points a marked finger > towards this LDAP process. > The 'ldap process' you refer to is actually rlm_ldap and a tiny module of ours. However, we have never observed any issues with them, no error messages or any other logging messages. I believe I have a valid and quite simple (for my purposes of course) configuration. I make the authorization decision and if all OK, I proxy the request, otherwise I reject the request without proxying it. radiusd -X confirms that the configuration is correct, however I have this problem behaviour in large scale. My initial suspitions go to the proxying code to be honest, but I need to take a good look to grasp it. > alan Kostas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html