On 18/04/12 13:16, Tobias Hachmer wrote:
Ok, I configure the same users, these are about 10-15 users, which
are stored in Active Directory, in the sql database. The sql database
schould be used for authentication only if the ldap servers are not
available.
So the SQL server contains an "emergency" subset of the real users?
I guess that makes sense.
Which LDAP client libraries are you using, and which version?
I use debian squeeze with libldap package libldap-2.4-2, an apt-cache
show libldap-2.4-2 shows the Version: 2.4.23-7.2
Which version of FreeRADIUS?
FreeRADIUS 2.1.12
What does a "tcpdump" show for port 389 during your tests? Do you
get TCP RSTs, ICMP errors, or what?
So I just sniffed the network for packets and recognized that my
freeradius machine sends out a lot of arp packets for the dns
server. Then I added the ldap server to the hosts file and now the
net_timeout = 1 seems to work. The timeouts now are ok and the first
radius-request is answered in time.
Ok, that's good to know.
This is sort of what I mean when I refer to libldap having an API that
is sub-optimal in some cases; the net_timeout should really apply to an
entire connection attempt, not just the connect() or read() calls.
It's hard to know what FreeRADIUS can do about this; maybe there is
scope for some kind of long-lived helper process that pools and polls
the LDAP servers, pro-actively detecting failures. But it seems a
complex solution.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
