On Wed, 28 May 2003 10:25:09 -0400, Alan DeKok wrote: > Pieter Droogendijk <[EMAIL PROTECTED]> wrote: > > The solution we came up with, in the first place, was to disable the > > password authentication. The new systems (which use freeradius) > > however, should include authentication as well. But since the > > overall timeout is only 6 seconds, and the LDAP gets some extreme > > loads at certain times, we can't reach that. > > Then I would suggest upgrading the machine running the LDAP server. > > The alternative, if the per-user LDAP configuration is *very* > simple, is to write a 'cache' module, which will cache > username/passwords, so that the LDAP server isn't hammered. >
Sorry, there's a user base of 1.5 mil, and we get about 500k sessions every day. Writing a cache module would not be very.... useful. > > What I need is something in between the two solutions; REJECT if the > > authorization takes longer then X seconds, ACCEPT if the password > > authentication takes longer then Y seconds, > > Authentication is taking 2 seconds, against the LDAP server? > There's GOT to be a better way... > One authentication, no, but once the load goes up to 80 per second just from one server, things just start slowing down. > > or send an ACCEPT or REJECT according to succesful authorization and > > authentication responses, where X+Y<6. > > That's a horrendously evil hack, and I would strongly advise against > it. I know :P > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- Perilous to all of us are the devices of an art deeper than we ourselves possess. -- Gandalf the Grey [J.R.R. Tolkien, "Lord of the Rings"] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
