On 06/02/13 12:19, Antonio Alberola wrote:
I understand that the PAM mechanism is slow, some domains more than others. But, I don't understand why RADIUS doesn't clean this request with some timeout mechanisms. It's very simple to create a script for crashing the server with a DoS attack. I need a configuration parameter to deny the request if PAM module doesn't respond on time.
The PAM APIs are synchronous, and don't offer timeout options. It's not possible to timeout a PAM call; FreeRADIUS is entirely at the mercy of PAM.
Don't use PAM, it's not suitable for your needs. Use "ntlm_auth", and FreeRADIUS can timeout the call.
Why es RADIUS server accepting duplicate requests for queries that have already been sent to it? This is the cause of all threads are busy, correct?
No. FreeRADIUS is *logging* that duplicates arrived. It doesn't process them, because they're duplicates. But it logs them, because duplicates are a symptom of too-slow authentication.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
