On Jan 11, 2013, at 2:32 PM, Arran Cudbard-Bell <[email protected]> 
wrote:

> [snip]
> 
> Yeah it'll just bog down your LDAP server instead. You should use rlm_cache 
> to cache the result of the LDAP lookup (once you have all this working)*.
> 
> Have you added nostrip for all the realms? The only way I can see it 
> clobbering username is if stripping is enabled.

So that was my first thought too. However, I have limited visibility into the 
remote lab crypto server and when I sent a request to with a realm included, it 
flat out dropped the request. Didn't reply at all. So I need the realm to so 
the proxy portion can hit the right destination, but I need the User-Name 
stripped so the remote server can understand it.

> -Arran
> 
> PS: You know you want to test the threaded version of the updated rlm_krb5 
> module :)

I do! Once I get this configuration working I'll be happy to try it. One of my 
todos for this whole config revamp is to stress test the environment against a 
brute force attack (we get them frequently). Then I'll have some before numbers 
to compare with the after.

> 
> * Only use the rlm_cache module from 2.2.1
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to