[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Redundant Ldap Configuration + More groups
From: nikitha <sumi.techno () gmail ! com>
Date: 2007-02-28 5:54:03
Message-ID: b3f2d4780702272142o4294442fjfeed98a216ade959 () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Alan,
Thanks for your information.
Regards,
Nikitha
On 2/17/07, Alan DeKok <aland@deployingradius.com> wrote:
>
> nikitha wrote:
>
> > When the request comes to the radius server, it goes one entry by entry
> > in "users" file, ie., It connects to ldap-server-1 with the Ldap-Group
> > tries from g1 till g20, and then connects to ldap-server-2 with
> > Ldap-Group from "g21' till g50. If the user is part of Ldap-group "g50"
> > it takes more time to return success, before itself the request times
> > out, and received eap start again from wireless client.
>
> Yes. The LDAP query results aren't cached.
>
> > If the "number of DEFAULT entry for ldap-server-1" is less than 10, then
> > it works fine. If the default entry increases, the server takes more
> > time to process.
>
> Yes, the solution is to not configure so many queries that the server
> slows down.
>
> > I think redundant ldap server configuration is not correct or in some
> > otherway we can fix it. Is it possible to configure the radius server in
> > such a way that, try ldap-server-1 for the first policy, if its
> > reachable then check it against the next policy.
>
> For LDAP-Group checking, no.
>
> > If its not reachable mark this server as dead or whatever and ignore
> > processing the next coming DEFAULT entries which matches with
> > ldap-server-1 and try to process ldap-server-2 entries.
>
> That may be possible with source code patches. i.e. If an LDAP server
> is marked "dead", don't try to contact it for a few seconds. That would
> help your configuration a lot. But your configuration is an artificial
> one that highlights a problem.
>
> Alan DeKok.
> --
> http://deployingradius.com - The web site of the book
> http://deployingradius.com/blog/ - The blog
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
[Attachment #5 (text/html)]
Hi Alan,<br><br>Thanks for your information. \
<br><br>Regards,<br>Nikitha<br><br><div><span class="gmail_quote">On 2/17/07, <b \
class="gmail_sendername">Alan DeKok</b> <<a \
href="mailto:aland@deployingradius.com">aland@deployingradius.com </a>> \
wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, \
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">nikitha wrote:<br><br>> \
When the request comes to the radius server, it goes one entry by entry <br>> in \
"users" file, ie., It connects to ldap-server-1 with the Ldap-Group<br>> \
tries from g1 till g20, and then connects to ldap-server-2 with<br>> Ldap-Group \
from "g21' till g50. If the user is part of Ldap-group "g50" \
<br>> it takes more time to return success, before itself the request \
times<br>> out, and received eap start again from wireless \
client.<br><br> Yes. The LDAP query results aren't \
cached.<br><br>> If the "number of DEFAULT entry for ldap-server-1" is \
less than 10, then <br>> it works fine. If the default entry increases, the server \
takes more<br>> time to process.<br><br> Yes, the solution is to not \
configure so many queries that the server<br>slows down.<br><br>> I think \
redundant ldap server configuration is not correct or in some <br>> otherway we \
can fix it. Is it possible to configure the radius server in<br>> such a way that, \
try ldap-server-1 for the first policy, if its<br>> reachable then check it \
against the next policy.<br><br> For LDAP-Group checking, no. <br><br>> \
If its not reachable mark this server as dead or whatever and ignore<br>> \
processing the next coming DEFAULT entries which matches with<br>> ldap-server-1 \
and try to process ldap-server-2 entries.<br><br> That may be \
possible with source code patches. i.e. If an LDAP server<br>is marked \
"dead", don't try to contact it for a few seconds. That \
would<br>help your configuration a lot. But your configuration is an \
artificial <br>one that highlights a problem.<br><br> Alan \
DeKok.<br>--<br> <a \
href="http://deployingradius.com">http://deployingradius.com</a> \
- The web site of the book<br> <a \
href="http://deployingradius.com/blog/">http://deployingradius.com/blog/ </a> - The \
blog<br>-<br>List info/subscribe/unsubscribe? See <a \
href="http://www.freeradius.org/list/users.html">http://www.freeradius.org/list/users.html</a><br></blockquote></div><br>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic