Re: Nas Type
On 7/27/07, Roberto Greiner <[EMAIL PROTECTED]> wrote: > > Hi, > > I was starting to look at checkrad, and found (based on > http://www.freeradius.org/radiusd/doc/Simultaneous-Use) that using > "other" as the NAS-type will actually check only radutmp instead of > looking at the actual NAS. Now, Could someone point me what would be the > proper NAS type to use for each of the devices below(or the proper > reference document to use)? I'm using the following NASes in my network: > > Monowall > pfSense > (3Com) Total Control > PopTop (in Linux) > > What I want to do is to use checkrad as one of the steps to make sure > that whoever appears as logged is really logged in, because I'm trying > to use Simultaneous-use check, and some of the above (notably monowall) > doesn't seem to be clearing properly sometimes. > > Thank you very much, > > Roberto Greiner > > -- Hi Robert, As for m0n0wall (and I guess pfsense too), you can also use the "diable concurrent logins" option in the CP setup. This way there will never be simultaneous use from the same nas. Kind Regards, Yves - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP errror in dialup admin page
I am trying to use freeradius 1.1.7 in Freebsd 6.2 with openldap 2.3.37 for authentication and mysql for accounting. While creating new user I get following error in dialup admin page: Warning: file(/usr/local/etc/raddb/ldap.attrmap) [function.file]: failed to open stream: Permission denied in /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 4 Warning: Invalid argument supplied for foreach() in /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 5 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Thanks for your help guys. I guess a way to prevent the DoS is through the correct use of a firewall? Kind regards, Paul. On 7/28/07, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Sat 28 Jul 2007, Paul Lambert wrote: > > Hi, > > > > I have now taken a look through the archives and I can't see a clean > > solution for reloading the nas without restarting. I assume this is what > > you were suggesting I do via cron? > > Yep.. The short answer is that FreeRADIUS does not currently reload the > nas > table automatically, and does not currently support HUP properly. Not > perfect, but thats the way it is. > > If you can think of a secure way to do either or both, and write a patch > to > implement it, we would be happy :-) > > Cheers > > -- > > Peter Nixon > http://peternixon.net/ > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Yeah. That would be one way, but its kind of like saying we are going to introduce a new feature to a BMW that makes it dangerous at speeds over 100km so don't drive it on an autobahn... It is an issue that has been discussed previously and FreeRADIUS is unlikely to ever do an SQL SELECT of the nas table for every inbound packet. What may be possible is to reload the nas list at certain intervals (from cron is the easiest) but until/unless HUP handling is improved that is problematic for deployments that need to keep session state (ie. EAP users). If you dont use EAP, then there is no problem doing a full restart on a regular basis.. Cheers Peter On Sun 29 Jul 2007, Paul Lambert wrote: > Thanks for your help guys. > > I guess a way to prevent the DoS is through the correct use of a firewall? > > Kind regards, > Paul. > > On 7/28/07, Peter Nixon <[EMAIL PROTECTED]> wrote: > > On Sat 28 Jul 2007, Paul Lambert wrote: > > > Hi, > > > > > > I have now taken a look through the archives and I can't see a clean > > > solution for reloading the nas without restarting. I assume this is > > > what you were suggesting I do via cron? > > > > Yep.. The short answer is that FreeRADIUS does not currently reload the > > nas > > table automatically, and does not currently support HUP properly. Not > > perfect, but thats the way it is. > > > > If you can think of a secure way to do either or both, and write a patch > > to > > implement it, we would be happy :-) -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OCSP support at FreeRadius
Hello, does anyone know when FreeRadius will support OCSP at the eap-tls module? Because crl's are not very useful, you have the restart the radius daemon every time when you will revoke an certificate or when an new crl comes out in it normal turn. Frank smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: OCSP support at FreeRadius
Frank Büttner wrote: > does anyone know when FreeRadius will support OCSP at the eap-tls > module? As soon as someone sends a patch, or pays for development. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP errror in dialup admin page
O/H Bishal έγραψε: > I am trying to use freeradius 1.1.7 in Freebsd 6.2 with openldap 2.3.37 > for authentication and mysql for accounting. > > While creating new user I get following error in dialup admin page: > > Warning: file(/usr/local/etc/raddb/ldap.attrmap) [function.file]: failed > to open stream: Permission denied in > /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 4 > I think the problem is exactly what is written. Check the persmissions to the /usr/local/etc/raddb/ldap.attrmap file. Especially check that the apache process (usually runs as nobody) can open the file. > Warning: Invalid argument supplied for foreach() in > /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 5 > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Kostas Kalevras - Network Operations Center National Technical University of Athens http://kkalev.wordpress.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"WPA keys" that expires after use
I would like to setup a wirelless network in my shop for my customers. And instead of giving them WPA Shared Key, which is valid until I change it manually, I would like to give them a "WPA key, which is valid only for x hours". The idea is, that the router does the authentication via radius server, which stores predefined "WPA keys". When user uses one of them to access the network, the "WPA key" is activated. After specified period of time, radius server automatically deactivates the WPA key and disconnects user. This way, I could forgetet about changing WPA key manually every week, stop worring that my key was spred to much, etc. Is this possible with FreeRadius server? If yes, is there any "how-to" on this subject? Or do you recomend any other aproach? Ferd0 Take the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news, photos & more. http://mobile.yahoo.com/go?refer=1GNXIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Hi, > It is an issue that has been discussed previously and FreeRADIUS is unlikely > to ever do an SQL SELECT of the nas table for every inbound packet. What may > be possible is to reload the nas list at certain intervals (from cron is the > easiest) but until/unless HUP handling is improved that is problematic for > deployments that need to keep session state (ie. EAP users). If you dont use > EAP, then there is no problem doing a full restart on a regular basis.. how about updating the NAS list from SQL via, for example, an SNMP write command or a special RADIUS command packet. both of these could have security protection to prevent DoS (eg the SNMP write from only certain locations (firewalled) and has password too of course... the RADIUS command packet could have a shared secret requirement and/or use the FR unlang/attribute protections for access/accept alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "WPA keys" that expires after use
Hi, > The idea is, that the router does the authentication via radius server, which > stores predefined "WPA keys". When user uses one of them to access the > network, the "WPA key" is activated. After specified period of time, radius > server automatically deactivates the WPA key and disconnects user. err, if the WPA key only becomes active AFTER they've reached the RADIUS server - then HOW are they to connect to the wireless in the first place - as the WPA key is required for the layer 2 link to come alive(!) AAA would be able to give you this 'very low level' type of authentication. what you COULD do with AAA is to use SSL certseg EAP-PEAP/EAP-TLS with WPA-enterprise. and then once the cert has been used, expire it. alternatively use WPA as you are currently doing but enforce another control method to get online - such as a SOCKS5 proxy. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Adding a NAS via SQL
[EMAIL PROTECTED] said:
> how about updating the NAS list from SQL via, for example, an SNMP write
> command
> or a special RADIUS command packet. both of these could have security
> protection
> to prevent DoS (eg the SNMP write from only certain locations (firewalled)
> and
> has password too of course... the RADIUS command packet could have a
> shared
> secret requirement and/or use the FR unlang/attribute protections for
> access/accept
I'd settle for having it reload on a configurable amount of time ...
# time between NAS table reloads if using SQL
# default is 1 hour
# set to 0 to disable NAS table reloading
nas_table_reload_time = 1h
So each request FR handles would start with this pseudo-code ...
if (nas_table_reload_time AND (last_nas_table_read < (NOW -
nas_table_reload_time))
{
reload_nas_table();
last_nas_table_read = NOW;
}
IMHO this would be a good compromise. Easy to implement (for someone like
Alan!), very low impact on the server (with the default setting), and allows
the admin to set the reload time that suits their site. I'd set mine to
24h, as I hardly ever change my NAS setup, but some folk might need 15m if
they have high NAS turnover.
> alan
-- hugh
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
Hugh Messenger wrote:
> [EMAIL PROTECTED] said:
>
>> how about updating the NAS list from SQL via, for example, an SNMP write
>> command
>> or a special RADIUS command packet. both of these could have security
>> protection
>> to prevent DoS (eg the SNMP write from only certain locations (firewalled)
>> and
>> has password too of course... the RADIUS command packet could have a
>> shared
>> secret requirement and/or use the FR unlang/attribute protections for
>> access/accept
>>
I agree with Alan B, SNMP write is the way to go with this. It's a nice
standard mechanism which can be triggered by almost anything.
Generally in most implementations of an SQL based NAS list, some script
somewhere is going to be adding rows to the SQL table, and adding a few
extra lines into that script to poke the server isn't going to be very
hard in any high level interpreted language.
>
> I'd settle for having it reload on a configurable amount of time ...
>
> # time between NAS table reloads if using SQL
> # default is 1 hour
> # set to 0 to disable NAS table reloading
> nas_table_reload_time = 1h
>
> So each request FR handles would start with this pseudo-code ...
>
> if (nas_table_reload_time AND (last_nas_table_read < (NOW -
> nas_table_reload_time))
> {
> reload_nas_table();
> last_nas_table_read = NOW;
> }
>
> IMHO this would be a good compromise. Easy to implement (for someone like
> Alan!), very low impact on the server (with the default setting), and allows
> the admin to set the reload time that suits their site. I'd set mine to
> 24h, as I hardly ever change my NAS setup, but some folk might need 15m if
> they have high NAS turnover.
>
>
I can't help but think there might be something more complicated to
this, else it would have been done already.
The mechanism by which a reloading of SQL clients is triggered could be
quite arbitrary, but changing memory structures whilst processing a
packet could cause some nasty issues...
But i'm not a C programmer, and Alan Is.
Alan if you could explain the technical reason behind the difficulty in
adding this feature, users might be in a better posistion to offer
suggestions / patches.
What does HUP actually do to a process in the Unix world ? Just send it
a nice sempahore saying "you've been hupped now do stuff" to the
process, or something more drastic ?
>> alan
>>
>
>-- hugh
>
>
Arran (Still in the land of fine wine and Pizza, and has learned to love
Dial-Up again)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Adding a NAS via SQL
On 2007-07-29 19:13, Arran Cudbard-Bell wrote:
> Hugh Messenger wrote:
>> [EMAIL PROTECTED] said:
>>
>>> how about updating the NAS list from SQL via, for example, an SNMP write
>>> command
>>> or a special RADIUS command packet. both of these could have security
>>> protection
>>> to prevent DoS (eg the SNMP write from only certain locations (firewalled)
>>> and
>>> has password too of course... the RADIUS command packet could have a
>>> shared
>>> secret requirement and/or use the FR unlang/attribute protections for
>>> access/accept
>>>
> I agree with Alan B, SNMP write is the way to go with this. It's a nice
> standard mechanism which can be triggered by almost anything.
> Generally in most implementations of an SQL based NAS list, some script
> somewhere is going to be adding rows to the SQL table, and adding a few
> extra lines into that script to poke the server isn't going to be very
> hard in any high level interpreted language.
>> I'd settle for having it reload on a configurable amount of time ...
>>
>> # time between NAS table reloads if using SQL
>> # default is 1 hour
>> # set to 0 to disable NAS table reloading
>> nas_table_reload_time = 1h
>>
>> So each request FR handles would start with this pseudo-code ...
>>
>> if (nas_table_reload_time AND (last_nas_table_read < (NOW -
>> nas_table_reload_time))
>> {
>> reload_nas_table();
>> last_nas_table_read = NOW;
>> }
>>
>> IMHO this would be a good compromise. Easy to implement (for someone like
>> Alan!), very low impact on the server (with the default setting), and allows
>> the admin to set the reload time that suits their site. I'd set mine to
>> 24h, as I hardly ever change my NAS setup, but some folk might need 15m if
>> they have high NAS turnover.
>>
>>
> I can't help but think there might be something more complicated to
> this, else it would have been done already.
> The mechanism by which a reloading of SQL clients is triggered could be
> quite arbitrary, but changing memory structures whilst processing a
> packet could cause some nasty issues...
> But i'm not a C programmer, and Alan Is.
>
> Alan if you could explain the technical reason behind the difficulty in
> adding this feature, users might be in a better posistion to offer
> suggestions / patches.
I don't know freeradius source code very well but after briefly looking
into the rlm_sql.c I think it is possible. It seems that currently
rlm_sql simply adds one client after another:
while(rlm_sql_fetch_row(sqlsocket, inst) == 0) {
(...)
c = rad_malloc(sizeof(RADCLIENT));
memset(c, 0, sizeof(RADCLIENT));
(...)
c->next = mainconfig.clients;
mainconfig.clients = c;
}
So, currently it may be hard to remove old ones since it is unknown if
they comes from rlm_sql or a client file. I see two solutions: save
somewhere original "mainconfig.clients" pointer or mark using additional
flag clients with rlm_sql origin.
Switching beetwen old and new nas table could be atomic and we can keep
the old one for a while (for example to the next scheduled reload) to be
sure that no one else is using it (client_find() and client_walk() callers).
Best regards,
Krzysztof Olędzki
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Using the various User-Password, Chap-Password, etc... with MySQL
Hey everyone,
I was wondering if someone can clearly explain the use of different
Password attributes when they're used in a scenario where MySQL is involved.
The basic case of User-Password is clear.
When the attribute in the radcheck table is User-Password then it's value is
the password in clear text and the op is ==
What about Cleartext-Password? I've added this attribute with op of := and
value password in clear text and used radtest as a test, and it results in
just re-transmission of Access-Request queries, and basically not working.
What about Chap-Password, MD5-Password, SHA1-Password, what are their
corresponding values and op like?
As a side note, I remember reading somewhere the use of the
PASSWORD('somepass') function
in MySQL for radcheck's password attributes but I'm really not sure in which
context was it.
Thanks,
Lir.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "WPA keys" that expires after use
I didn't mean the real WPA key (that's why I put them in brackets). I wanted a key (a pass of some predefined user) in radius server. And the user in raduis server is deleted X hours after it's first login. Is this possible, or am I missing the point completely? Ferd0 - Original Message From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> To: FreeRadius users mailing list Sent: Sunday, July 29, 2007 5:46:00 PM Subject: Re: "WPA keys" that expires after use Hi, > The idea is, that the router does the authentication via radius server, which > stores predefined "WPA keys". When user uses one of them to access the > network, the "WPA key" is activated. After specified period of time, radius > server automatically deactivates the WPA key and disconnects user. err, if the WPA key only becomes active AFTER they've reached the RADIUS server - then HOW are they to connect to the wireless in the first place - as the WPA key is required for the layer 2 link to come alive(!) AAA would be able to give you this 'very low level' type of authentication. what you COULD do with AAA is to use SSL certseg EAP-PEAP/EAP-TLS with WPA-enterprise. and then once the cert has been used, expire it. alternatively use WPA as you are currently doing but enforce another control method to get online - such as a SOCKS5 proxy. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Be a better Heartthrob. Get better relationship answers from someone who knows. Yahoo! Answers - Check it out. http://answers.yahoo.com/dir/?link=list&sid=396545433 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL usage ideas
I think I have a pretty good idea of how the sql structure works for radius. Here are some ideas I have: It looks like the clients query is cached at startup (guessing this since I don't see thousands of queries to the nas table like I do to the other tables). One really useful option would be to add an option to read some of the database tables into the radius servers memory on startup. This would be EXTREMELY useful for my case in that I am using groups and could set the radgroupcheck and radgrouprely tables (since they just about never change, and I would be willing to deal with a restart if they did need to change) to load into memory on the radius server and still allow me to dynamically add/remove users from groups. Would be a good idea to offer this to every read only table (some like radpostauth just would not make sense), some may not be used often, but you never know. Thoughts? Roy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: "WPA keys" that expires after use
If you want to expire passwords set Expiration attribute using exec or perl modules at first login. Deleting users and expired passwords hasn't got much to do with radius. Delete them the same way you created them. Ivan Kalik Kalik Informatika ISP Dana 29/7/2007, "Ferdo Piš" <[EMAIL PROTECTED]> piše: >I didn't mean the real WPA key (that's why I put them in brackets). I wanted a >key (a pass of some predefined user) in radius server. And the user in raduis >server is deleted X hours after it's first login. > >Is this possible, or am I missing the point completely? > >Ferd0 > >- Original Message >From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> >To: FreeRadius users mailing list >Sent: Sunday, July 29, 2007 5:46:00 PM >Subject: Re: "WPA keys" that expires after use > >Hi, > >> The idea is, that the router does the authentication via radius server, >> which stores predefined "WPA keys". When user uses one of them to access the >> network, the "WPA key" is activated. After specified period of time, radius >> server automatically deactivates the WPA key and disconnects user. > >err, if the WPA key only becomes active AFTER they've reached the RADIUS >server - then HOW are they to connect >to the wireless in the first place - as the WPA key is required for the layer >2 link to come alive(!) > >AAA would be able to give you this 'very low level' type of authentication. >what you COULD do >with AAA is to use SSL certseg EAP-PEAP/EAP-TLS with WPA-enterprise. and >then once the >cert has been used, expire it. alternatively use WPA as you are currently >doing but enforce >another control method to get online - such as a SOCKS5 proxy. > >alan >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > > > > >Be a better Heartthrob. Get better relationship answers from someone who >knows. Yahoo! Answers - Check it out. >http://answers.yahoo.com/dir/?link=list&sid=396545433 > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL usage ideas
How about you let SQL server deal with SQL queries: http://dev.mysql.com/doc/refman/5.0/en/query-cache.html Ivan Kalik Kalik Informatika ISP Dana 29/7/2007, "Roy Walker" <[EMAIL PROTECTED]> piše: >I think I have a pretty good idea of how the sql structure works for radius. >Here are some ideas I have: > >It looks like the clients query is cached at startup (guessing this since I >don't see thousands of queries to the nas table like I do to the other >tables). One really useful option would be to add an option to read some of >the database tables into the radius servers memory on startup. This would be >EXTREMELY useful for my case in that I am using groups and could set the >radgroupcheck and radgrouprely tables (since they just about never change, and >I would be willing to deal with a restart if they did need to change) to load >into memory on the radius server and still allow me to dynamically add/remove >users from groups. Would be a good idea to offer this to every read only >table (some like radpostauth just would not make sense), some may not be used >often, but you never know. > >Thoughts? > >Roy > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Using the various User-Password, Chap-Password, etc... with MySQL
liran tal wrote: > I was wondering if someone can clearly explain the use of different > Password attributes when they're used in a scenario where MySQL is involved. The different password attributes have nothing to do with MySQL. Put a clear-text password in MySQL, and let the server deal with different authentication protocols. > The basic case of User-Password is clear. > When the attribute in the radcheck table is User-Password then it's value is > the password in clear text and the op is == No. See the recent documentation in 1.1.5 and following. The attribute is Cleartext-Password, and the operator is :=. > What about Cleartext-Password? I've added this attribute with op of := and > value password in clear text and used radtest as a test, and it results in > just re-transmission of Access-Request queries, and basically not working. See the FAQ for "it doesn't work". The FAQ, README, INSTALL, etc. all say to run the server in debugging mode. > What about Chap-Password, MD5-Password, SHA1-Password, what are their > corresponding values and op like? Read the documentation in "man rlm_pap", as suggested in the README. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL usage ideas
Well if you understand server/client systems, no client request is INIFINATELY faster than a server cached request. So when you get to the point where you need to handle several hundred requests a second, you do the math. Roy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Sunday, July 29, 2007 1:58 PM To: FreeRadius users mailing list Subject: Re: SQL usage ideas How about you let SQL server deal with SQL queries: http://dev.mysql.com/doc/refman/5.0/en/query-cache.html Ivan Kalik Kalik Informatika ISP Dana 29/7/2007, "Roy Walker" <[EMAIL PROTECTED]> piše: >I think I have a pretty good idea of how the sql structure works for radius. >Here are some ideas I have: > >It looks like the clients query is cached at startup (guessing this since I >don't see thousands of queries to the nas table like I do to the other >tables). One really useful option would be to add an option to read some of >the database tables into the radius servers memory on startup. This would be >EXTREMELY useful for my case in that I am using groups and could set the >radgroupcheck and radgrouprely tables (since they just about never change, and >I would be willing to deal with a restart if they did need to change) to load >into memory on the radius server and still allow me to dynamically add/remove >users from groups. Would be a good idea to offer this to every read only >table (some like radpostauth just would not make sense), some may not be used >often, but you never know. > >Thoughts? > >Roy > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL usage ideas
Hi, > Well if you understand server/client systems, no client request is > INIFINATELY faster than a server cached request. So when you get to the > point where you need to handle several hundred requests a second, you do the > math. depends on how the SQL tables are indexed, how the server is configured etc etc - certainly I've got some very complex queries that upon benchmarking against a million entries can run in less than 0.00 (ie MySQL basic counter in seconds isnt good enough to measure ;-) ) but if you want to take your data, then cache it in memory rather than query it.well, that sounds much like having it in memory and not in a database at all - ie 'fastusers' and the such...rather than a database as we know it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP errror in dialup admin page
Apache is running as www and it can open and read file. But still I am getting the same error. On 7/29/2007, "Kostas Kalevras" <[EMAIL PROTECTED]> wrote: >O/H Bishal ÎγÏαÏε: >> I am trying to use freeradius 1.1.7 in Freebsd 6.2 with openldap 2.3.37 >> for authentication and mysql for accounting. >> >> While creating new user I get following error in dialup admin page: >> >> Warning: file(/usr/local/etc/raddb/ldap.attrmap) [function.file]: failed >> to open stream: Permission denied in >> /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 4 >> >I think the problem is exactly what is written. Check the persmissions >to the /usr/local/etc/raddb/ldap.attrmap file. Especially check that the >apache process (usually runs as nobody) can open the file. >> Warning: Invalid argument supplied for foreach() in >> /usr/local/www/apache22/data/dialupadmin/lib/ldap/attrmap.php3 on line 5 >> >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > >-- >Kostas Kalevras - Network Operations Center >National Technical University of Athens >http://kkalev.wordpress.com > >- >List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL usage ideas
Maybe I am misunderstanding you, but are you saying there is already a method to pull the data from the database and cache it using 'fastusers'? I do not see anyway to do that... There are a lot reasons to keep the data in a database, look at the NAS table (I realize it is read-on-start for DOS reasons) but someone must be of the same mind set as me or there would be no client support in the SQL module. Roy From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Sun 7/29/2007 3:42 PM To: FreeRadius users mailing list Subject: Re: SQL usage ideas Hi, > Well if you understand server/client systems, no client request is > INIFINATELY faster than a server cached request. So when you get to the > point where you need to handle several hundred requests a second, you do the > math. depends on how the SQL tables are indexed, how the server is configured etc etc - certainly I've got some very complex queries that upon benchmarking against a million entries can run in less than 0.00 (ie MySQL basic counter in seconds isnt good enough to measure ;-) ) but if you want to take your data, then cache it in memory rather than query it.well, that sounds much like having it in memory and not in a database at all - ie 'fastusers' and the such...rather than a database as we know it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
