(RADIATOR) Radiator and LDAP performance
Campbell Simpson
Campbell.Simpson2 at telecom.co.nz
Wed Mar 2 17:18:18 CST 2005
Hi people,
I've got a working radiator config that's talking LDAP to Novell eDirectory. Now I'm looking at how efficient the LDAP authentication process is and this is where I need some advice. It looks to me that this is the only proper way to authenticate a user, the problem however is that it requires two binds per authentication request which will obviously have an effect on performance. It also seems to me that 'ServerChecksPassword' and 'HoldServerConnection' are mutually exclusive flags.
First up Radiator needs to be authenticated against the LDAP directory before it can search for the user. So I have an AuthDN and AuthPassword set. Radiator then searches for the username with a custom search filter and gets the contents of the aaareply LDAP attribute. As Novell implement proprietary encryption for the user password I need to use the 'ServerChecksPassword' flag. This means there needs to be a second bind done on the username and password to confirm the correct password.
So the question is is there a way to perform this authentication using only a single bind?
Although eDirextory does support persistent connections (according to Novell) I can't get it working with the 'HoldServerConnection' flag. Should this flag work if the 'ServerChecksPassword' is set as well? As it's doing a bind then search then another bind to the user then it seems to me this can't work?? When I run a packet debug I see the two binds occurring but then radiator sends an unbind request. This all occurs over the same LDAP connection so it seems to be that when you set 'ServerChecksPassword' then radiator will always send and unbind request for the LDAP session even though 'HoldServerConnection' is set.
See below packet capture, this is with 'HoldServerConnection' and 'ServerChecksPassword' set:
thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
146.171.39.80 -> thr2 LDAP R port=33189 Bind Response Success
thr2 -> 146.171.39.80 LDAP C port=33189 Search Request derefFindingBaseObj
146.171.39.80 -> thr2 LDAP R port=33189 Search ResDone Success
thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
146.171.39.80 -> thr2 LDAP R port=33189 Bind Response Success
thr2 -> 146.171.39.80 LDAP C port=33189 Unbind Request
Here's my config:
<Realm DEFAULT>
PreAuthHook file:"/opt/radiator/realmprefix.pl"
RewriteUsername s/\@ip\w\./\@/
AcctLogFileName %L/accounting.%R
WtmpFileName %L/wtmp.%R
PasswordLogFileName %L/auth.%R
<AuthBy LDAP2>
Host 146.171.39.80
Port 389
# HoldServerConnection
ServerChecksPassword
SearchFilter (&(groupMembership=cn=%{GlobalVar:access},ou=servic
es,ou=THR,ou=Applications,ou=spec,ou=customers,ou=Views,o=META) (uid=%U))
BaseDN cn=%U,ou=%R,ou=external,ou=customers,ou=Views,o=META
Scope base
AuthDN cn=THRRadius,o=META
AuthPassword xxxx
AuthAttrDef aaareply,GENERIC,reply
Version 3
Debug 255
NoDefault
# This is the LDAP attribute to match the radius user name
UsernameAttr uid
AddToReply Framed-Protocol = PPP,Service-Type = Framed,NAS-Port
-Type=%{NAS-Port-Type},NAS-IP-Address=%{NAS-IP-Address}
</AuthBy>
</Realm>
Any thoughts?
Thanks
Campbell
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 266.5.2 - Release Date: 28/02/2005
------------------------------------------------------------------------------
"This communication, including any attachments, is confidential.
If you are not the intended recipient, you should not read
it - please contact me immediately, destroy it, and do not
copy or use any part of this communication or disclose
anything about it. Thank you. Please note that this
communication does not designate an information system for
the purposes of the Electronic Transactions Act 2002."
------------------------------------------------------------------------------
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list