Version 2.1.10 Since adding LDAP authorization, my login time has slowed down quite a bit. It takes 4 or 5 seconds longer for freeRadius to get through all of the [ldap] fields and send an Access-Accept. Is this a normal amount of time, or is there something in my configuration that is causing this slow down?
LDAP Module: ldap { # # Note that this needs to match the name in the LDAP # server certificate, if you're using ldaps. server = "172.28.64.10" identity = "CN=User Name,OU=Phoenix_Users,DC=company,DC=com" password = password basedn = "DC=company,DC=com" filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))" groupname_attribute = cn groupmembership_filter = "(|(&(objectClass=GroupOfNames)(member=%{contr$ groupmembership_attribute = memberOf # base_filter = "(objectclass=radiusprofile)" # How many connections to keep open to the LDAP server. # This saves time over opening a new LDAP socket for # every authentication request. ldap_connections_number = 5 Debug: Ready to process requests. rad_recv: Access-Request packet from host 172.28.64.3 port 1645, id=98, length=85 User-Name = "RadiusUser" User-Password = "password" NAS-Port = 3 NAS-Port-Id = "tty3" NAS-Port-Type = Virtual Calling-Station-Id = "172.28.64.119" NAS-IP-Address = 172.28.64.3 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "RadiusUser", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [ldap] Entering ldap_groupcmp() [files] expand: DC=company,DC=com -> DC=company,DC=com [files] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [files] ... expanding second conditional [files] expand: %{User-Name} -> RadiusUser [files] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser)) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] attempting LDAP reconnection [ldap] (re)connect to 172.28.64.10:389, authentication 0 [ldap] bind as CN=User Name,OU=Alaska_Users,DC=company,DC=com/password to 172.28.64.10:389 [ldap] waiting for bind result ... [ldap] Bind was successful [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] ldap_release_conn: Release Id: 0 [files] expand: (|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{control:Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))) [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=company,DC=com, with filter (&(cn=Radius-Users)(|(&(objectClass=GroupOfNames)(member=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dUser Name\2cOU\3dAlaska_Users\2cDC\3dcompany\2cDC\3dcom)))) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] object not found [ldap] ldap_release_conn: Release Id: 0 [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in CN=User Name,OU=Alaska_Users,DC=company,DC=com, with filter (objectclass=*) [ldap] performing search in CN=Radius-Users,OU=Alaska_Users,DC=company,DC=com, with filter (cn=Radius-Users) rlm_ldap::ldap_groupcmp: User found in group Radius-Users [ldap] ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 176 ++[files] returns ok [ldap] performing user authorization for RadiusUser [ldap] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [ldap] ... expanding second conditional [ldap] expand: %{User-Name} -> RadiusUser [ldap] expand: (&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})) -> (&(sAMAccountName=RadiusUser)) [ldap] expand: DC=company,DC=com -> DC=company,DC=com [ldap] ldap_get_conn: Checking Id: 0 [ldap] ldap_get_conn: Got Id: 0 [ldap] performing search in DC=company,DC=com, with filter (&(sAMAccountName=RadiusUser)) [ldap] rebind to URL ldap://ForestDnsZones.company.com/DC=ForestDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://DomainDnsZones.company.com/DC=DomainDnsZones,DC=company,DC=com [ldap] rebind to URL ldap://company.com/CN=Configuration,DC=company,DC=com [ldap] No default NMAS login sequence [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly? [ldap] user RadiusUser authorized to use remote access [ldap] ldap_release_conn: Release Id: 0 ++[ldap] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No "known good" password found for the user. Authentication may fail because of this. ++[pap] returns noop ++? if (!control:Auth-Type) ? Evaluating !(control:Auth-Type) -> TRUE ++? if (!control:Auth-Type) -> TRUE ++- entering if (!control:Auth-Type) {...} +++[control] returns noop ++- if (!control:Auth-Type) returns noop Found Auth-Type = ntlm_auth # Executing group from file /etc/freeradius/sites-enabled/default +- entering group authenticate {...} [ntlm_auth] expand: --username=%{mschap:User-Name} -> --username=RadiusUser [ntlm_auth] expand: --password=%{User-Password} -> --password=password Exec-Program output: NT_STATUS_OK: Success (0x0) Exec-Program-Wait: plaintext: NT_STATUS_OK: Success (0x0) Exec-Program: returned: 0 ++[ntlm_auth] returns ok # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} ++[exec] returns noop Sending Access-Accept of id 98 to 172.28.64.3 port 1645 Service-Type = NAS-Prompt-User Cisco-AVPair = "shell:priv-lvl=15" Motorola-WIBB-Auth-Role = security-officer-role Finished request 0. Going to the next request Waking up in 4.9 seconds. Cleaning up request 0 ID 98 with timestamp +17 Ready to process requests. T. Brady
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html