Brian Wilson <briw...@yahoo.com> wrote:
>
> I will need to do some more research on inner-tunnels, as i'm not too
> familiar with them. How would I add the ldap components? as part of
> the peap module itself? All the documentation i've found on LDAP
> requires the ldap modules to be referenced in both the authorize and
> authentication sections directly. It would be useful to see some more
> examples.
>
Looking below the problem in not removing the LDAP lookups but speeding
them up. I would strongly recommend you speak to the LDAP administrator
and tell them to index 'cn' and 'objectclass'. As you are using
eDirectory I would normally guess
So the alternative plan of action is look at your use object classes and
make your searches more specific, I use something like:
(&(objectClass=Person)(cn=%{%{Stripped-User-Name}:-%{User-Name}}))
As you are querying eDirectory there will be *lots* of objects in there
that are not actual users. You use 'objectClass' to only search for
*real* people (stripping out file shares, files, workstations, printers,
etc etc) and then you hunt for the username.
By using "ldapsearch -LLL -x -h ldap.example.com '<query>'" you will be
able to work out what is fast and what is slow against your directory.
As you are using eDirectory I assume you work in academica, I *strongly*
recommend you force people to enter in their realm with their username
(for example b...@example.edu) from the start...other wise you are going
to be kicking yourself when you look to things like 'eduroam'[1].
Cheers
[1] your users will roam to other universities to find their credentials
do not work as they are presenting themselves as 'bob' rather
than 'b...@example.edu' and so their request is rejected. The
solution is to reject realmless logins even locally as your
helpdesk will refuse to listen unless when they do does not work
--
Alexander Clouter
.sigmonster says: There's no time like the pleasant.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
