Am 18.04.2012 12:33, schrieb Phil Mayers:
On 18/04/12 09:40, Tobias Hachmer wrote:
I'm using a sql database for authorization and ldap for
authentication.
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail).
Why would you do this?
Simply as a fallback, in case there is a maintanance on the network
where the ldap servers are conected to. In this case we need to log on
to our switches though.
If SQL contains the users, just auth to SQL, surely?
If you can explain your use-case, people might be able to make better
suggestions.
Ok, I configure the same users, these are about 10-15 users, which are
stored in Active Directory, in the sql database.
The sql database schould be used for authentication only if the ldap
servers are not available.
So I set the network interfaces of my ldap servers manually to down
and
startet testing. But the timeouts for every ldap module are too big
(circa 50 seconds).
I noticed the timeout directives in the ldap module. In all three
ldap
modules the net_timeout is set to "1".
Question 1: How can I reduce these timeouts?
Which LDAP client libraries are you using, and which version?
I use debian squeeze with libldap package libldap-2.4-2, an apt-cache
show libldap-2.4-2 shows the Version: 2.4.23-7.2
Which version of FreeRADIUS?
FreeRADIUS 2.1.12
What does a "tcpdump" show for port 389 during your tests? Do you get
TCP RSTs, ICMP errors, or what?
So I just sniffed the network for packets and recognized that my
freeradius machine sends out a lot of arp packets for the dns server.
Then I added the ldap server to the hosts file and now the net_timeout
= 1 seems to work. The timeouts now are ok and the first radius-request
is answered in time.
After that I changed my configuration to this:
Auth-Type LDAP {
redundant {
redundant-load-balance {
ldap1
ldap2
ldap3
}
pap
}
}
and it works now as expected.
My questions are answered and my problems seems to be solved. If anyone
has any further suggestions please let me know, either.
Thank you for your reply. You pointed me the right direction.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html