On Wed, 28 May 2003 17:43:45 +0300 (EEST), Kostas Kalevras wrote: > On Wed, 28 May 2003, Pieter Droogendijk wrote: > > > Greetings, > > > > I'm facing an odd problem at the moment. > > > > The ISP i work for has it's own radius servers, however we don't own the CVX. > > The company that owns the CVX decided that it would be a good idea to > > automatically reject a dialup connection if the connection process (which, of > > course, includes our radius servers) takes longer then 6 seconds. And this > > poses a problem. > > > > The solution we came up with, in the first place, was to disable the password > > authentication. The new systems (which use freeradius) however, should include > > authentication as well. But since the overall timeout is only 6 seconds, and > > the LDAP gets some extreme loads at certain times, we can't reach that. > > > > I just benchmarked the server with an ldap timeout of 2 seconds (all three > > ldap timeouts that is), and 10% of 500.000 requests were rejected because of > > the timeout, which is unacceptable. > > I believe that the bottleneck is the authentication part. The BIND operation > requires a new connection (with all the corresponding overhead) as well as > processing in the ldap server side (do a crypt() on the supplied password). If > you are also using TLS (you don't say anything about it) then things will start > getting out of hand. There's nothing you can do to the ldap module to fix that > (it's how the LDAP protocol works). The only thing you can do is: > > * Put the radius server on the same machine as the ldap server and use ldapi > (ldap over unix sockets) if that is supported.
I already thought of running a local ldap mirror on the radius machine, and I'll start benchmarking this friday or next monday. I'll most certainly follow all (or at least most) of your advice. thanks. > * Use the PAP/CHAP module and the password extraction mechanism of the ldap > module so that you don't need to run the ldap module in the authentication fase. > I believe that as long as your ldap server caches are working fine the > authorization part of rlm_ldap will work just fine without timeouts. > > > > > What I need is something in between the two solutions; REJECT if the > > authorization takes longer then X seconds, ACCEPT if the password > > authentication takes longer then Y seconds, or send an ACCEPT or REJECT > > according to succesful authorization and authentication responses, where > > X+Y<6. > > > > Is there any valid way, besides patching the ldap module to make the return > > value at timeouts configurable, that would solve this problem? Maybe someone > > has another solution? > > > > Thanks in advance, > > > > Pieter Droogendijk > > > > -- > > There is an old time toast which is golden for its beauty. > > "When you ascend the hill of prosperity may you not meet a friend." > > -- Mark Twain > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > > > -- > Kostas Kalevras Network Operations Center > [EMAIL PROTECTED] National Technical University of Athens, Greece > Work Phone: +30 210 7721861 > 'Go back to the shadow' Gandalf > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > -- You love peace. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
