Peter Lambrechtsen wrote:
> Even though we have ldap_connections_number = 50 in the modules/ldap we
> have issues with the dynamic clients. We can increase the number higher
> but it doesn't seem to make any difference.
Or, you can do fewer queries.
> Each element sends a heartbeat packet to FR once a second to make sure
> it's still alive which we capture very early on in the authorize second
> and send a reject.
That's a REALLY bad idea. See RFC 2865 for why keep-alives are
harmful. See RFC 5997 for a better approach.
> Is the newer versions of FreeRadius use the multiple connections of ldap
> in a more efficient way so that the client lookups work more effectively.
No.
> Our dynamic clients config is:
>
> server dynamic_client_server {
> authorize {
> if
> ("%{ldap:ldap:///ou=Elements,o=Identities?ou?sub?cn=%{Packet-Src-IP-Address}}";)
This can be cached in a temporary variable:
update control {
Tmp-String-0 = "%{ldap:....}"
}
if (Tmp-String-0 != "") {
update control {
...
FreeRADIUS-Client-Shortname = "%{control:Tmp-String-0}"
...
}
}
The changes it from three LDAP lookup to one.
> Is the dynamic clients ldap lookups only single threaded, or have I done
> something incorrect with the configuration?
The dynamic client lookups are single threaded. Changing that is hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
