'Re: Redundant Ldap Configuration + More groups'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freeradius-users
Subject:    Re: Redundant Ldap Configuration + More groups
From:       nikitha <sumi.techno () gmail ! com>
Date:       2007-02-28 5:54:03
Message-ID: b3f2d4780702272142o4294442fjfeed98a216ade959 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi Alan,

Thanks for your information.

Regards,
Nikitha

On 2/17/07, Alan DeKok <aland@deployingradius.com> wrote:
>
> nikitha wrote:
>
> > When the request comes to the radius server, it goes one entry by entry
> > in "users" file, ie., It connects to ldap-server-1 with the Ldap-Group
> > tries from g1 till g20, and then connects to ldap-server-2 with
> > Ldap-Group from "g21' till g50. If the user is part of Ldap-group "g50"
> > it takes more time to return success, before itself the request times
> > out, and received eap start again from wireless client.
>
>   Yes.  The LDAP query results aren't cached.
>
> > If the "number of DEFAULT entry for ldap-server-1" is less than 10, then
> > it works fine. If the default entry increases, the server takes more
> > time to process.
>
>   Yes, the solution is to not configure so many queries that the server
> slows down.
>
> > I think redundant ldap server configuration is not correct or in some
> > otherway we can fix it. Is it possible to configure the radius server in
> > such a way that, try ldap-server-1 for the first policy, if its
> > reachable then check it against the next policy.
>
>   For LDAP-Group checking, no.
>
> > If its not reachable mark this server as dead or whatever and ignore
> > processing the next coming DEFAULT entries which matches with
> > ldap-server-1 and try to process  ldap-server-2 entries.
>
>   That may be possible with source code patches.  i.e. If an LDAP server
> is marked "dead", don't try to contact it for a few seconds.  That would
> help your configuration a lot.  But your configuration is an artificial
> one that highlights a problem.
>
>   Alan DeKok.
> --
>   http://deployingradius.com       - The web site of the book
>   http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

[Attachment #5 (text/html)]

Hi Alan,<br><br>Thanks for your information. \
<br><br>Regards,<br>Nikitha<br><br><div><span class="gmail_quote">On 2/17/07, <b \
class="gmail_sendername">Alan DeKok</b> &lt;<a \
href="mailto:aland@deployingradius.com">aland@deployingradius.com </a>&gt; \
wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">nikitha wrote:<br><br>&gt; \
When the request comes to the radius server, it goes one entry by entry <br>&gt; in \
&quot;users&quot; file, ie., It connects to ldap-server-1 with the Ldap-Group<br>&gt; \
tries from g1 till g20, and then connects to ldap-server-2 with<br>&gt; Ldap-Group \
from &quot;g21&#39; till g50. If the user is part of Ldap-group &quot;g50&quot; \
<br>&gt; it takes more time to return success, before itself the request \
times<br>&gt; out, and received eap start again from wireless \
client.<br><br>&nbsp;&nbsp;Yes.&nbsp;&nbsp;The LDAP query results aren&#39;t \
cached.<br><br>&gt; If the &quot;number of DEFAULT entry for ldap-server-1&quot; is \
less than 10, then <br>&gt; it works fine. If the default entry increases, the server \
takes more<br>&gt; time to process.<br><br>&nbsp;&nbsp;Yes, the solution is to not \
configure so many queries that the server<br>slows down.<br><br>&gt; I think \
redundant ldap server configuration is not correct or in some <br>&gt; otherway we \
can fix it. Is it possible to configure the radius server in<br>&gt; such a way that, \
try ldap-server-1 for the first policy, if its<br>&gt; reachable then check it \
against the next policy.<br><br>&nbsp;&nbsp;For LDAP-Group checking, no. <br><br>&gt; \
If its not reachable mark this server as dead or whatever and ignore<br>&gt; \
processing the next coming DEFAULT entries which matches with<br>&gt; ldap-server-1 \
and try to process&nbsp;&nbsp;ldap-server-2 entries.<br><br> &nbsp;&nbsp;That may be \
possible with source code patches.&nbsp;&nbsp;i.e. If an LDAP server<br>is marked \
&quot;dead&quot;, don&#39;t try to contact it for a few seconds.&nbsp;&nbsp;That \
would<br>help your configuration a lot.&nbsp;&nbsp;But your configuration is an \
artificial <br>one that highlights a problem.<br><br>&nbsp;&nbsp;Alan \
DeKok.<br>--<br>&nbsp;&nbsp;<a \
href="http://deployingradius.com">http://deployingradius.com</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
- The web site of the book<br>&nbsp;&nbsp;<a \
href="http://deployingradius.com/blog/">http://deployingradius.com/blog/ </a> - The \
blog<br>-<br>List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>




- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic