Re: Auth-Type Fall-Through & ldap timeouts

Wed, 18 Apr 2012 05:24:41 -0700 

Am 18.04.2012 12:33, schrieb Phil Mayers:

On 18/04/12 09:40, Tobias Hachmer wrote:
I'm using a sql database for authorization and ldap for authentication. 
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail).

Why would you do this?
Simply as a fallback, in case there is a maintanance on the network where the ldap servers are conected to. In this case we need to log on to our switches though. 



If SQL contains the users, just auth to SQL, surely?
If you can explain your use-case, people might be able to make better
suggestions.

Ok, I configure the same users, these are about 10-15 users, which are 
stored in Active Directory, in the sql database.
The sql database schould be used for authentication only if the ldap 
servers are not available.



So I set the network interfaces of my ldap servers manually to down 
and

startet testing. But the timeouts for every ldap module are too big
(circa 50 seconds).

I noticed the timeout directives in the ldap module. In all three 
ldap

modules the net_timeout is set to "1".

Question 1: How can I reduce these timeouts?


Which LDAP client libraries are you using, and which version?

I use debian squeeze with libldap package libldap-2.4-2, an apt-cache 
show libldap-2.4-2 shows the Version: 2.4.23-7.2



Which version of FreeRADIUS?

FreeRADIUS 2.1.12


What does a "tcpdump" show for port 389 during your tests? Do you get 
TCP RSTs, ICMP errors, or what?

So I just sniffed the network for packets and recognized that my 
freeradius machine sends out a lot of arp packets for the dns server.
Then I added the ldap server to the hosts file and now the net_timeout 
= 1 seems to work. The timeouts now are ok and the first radius-request 
is answered in time.


After that I changed my configuration to this:

        Auth-Type LDAP {
                redundant {
                redundant-load-balance {
                        ldap1
                        ldap2
                        ldap3
                }
                pap
                }
        }

and it works now as expected.


My questions are answered and my problems seems to be solved. If anyone 
has any further suggestions please let me know, either.


Thank you for your reply. You pointed me the right direction.

Regards,

Tobias Hachmer

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html






















					Reply via email to