(RADIATOR) Radiator and LDAP performance
Hugh Irvine
hugh at open.com.au
Thu Mar 3 00:29:06 CST 2005
Hello Jim, Hello Campbell -
I can confirm that the Novell eDirectory is _much_ faster than any
other LDAP server I have looked at (a limited number).
LDAP queries appeared to take on the order of a millisecond as seen
from a trace 4 debug with LogMicroseconds.
regards
Hugh
On 3 Mar 2005, at 01:17, Jim Michael wrote:
> How many users are going to be authenticating this way, and at what
> rate? Unless you have thousands of users *per minute* authenticating
> via 802.1x, then I think you're worrying too much about the hit of two
> binds to eDirectory. eDirectory is a screamer when it comes to
> performance, and I very much doubt you have a load that will bring it
> to its knees.
>
> Jim
>
>>>> "Campbell Simpson" <Campbell.Simpson2 at telecom.co.nz> 3/2/2005 5:18
>>>> PM >>>
> Hi people,
>
> I've got a working radiator config that's talking LDAP to Novell
> eDirectory. Now I'm looking at how efficient the LDAP authentication
> process is and this is where I need some advice. It looks to me that
> this is the only proper way to authenticate a user, the problem
> however is that it requires two binds per authentication request which
> will obviously have an effect on performance. It also seems to me that
> 'ServerChecksPassword' and 'HoldServerConnection' are mutually
> exclusive flags.
>
> First up Radiator needs to be authenticated against the LDAP directory
> before it can search for the user. So I have an AuthDN and
> AuthPassword set. Radiator then searches for the username with a
> custom search filter and gets the contents of the aaareply LDAP
> attribute. As Novell implement proprietary encryption for the user
> password I need to use the 'ServerChecksPassword' flag. This means
> there needs to be a second bind done on the username and password to
> confirm the correct password.
>
> So the question is is there a way to perform this authentication using
> only a single bind?
>
> Although eDirextory does support persistent connections (according to
> Novell) I can't get it working with the 'HoldServerConnection' flag.
> Should this flag work if the 'ServerChecksPassword' is set as well? As
> it's doing a bind then search then another bind to the user then it
> seems to me this can't work?? When I run a packet debug I see the two
> binds occurring but then radiator sends an unbind request. This all
> occurs over the same LDAP connection so it seems to be that when you
> set 'ServerChecksPassword' then radiator will always send and unbind
> request for the LDAP session even though 'HoldServerConnection' is
> set.
>
> See below packet capture, this is with 'HoldServerConnection' and
> 'ServerChecksPassword' set:
>
> thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
> 146.171.39.80 -> thr2 LDAP R port=33189 Bind Response Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Search Request
> derefFindingBaseObj
> 146.171.39.80 -> thr2 LDAP R port=33189 Search ResDone Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Bind Request
> 146.171.39.80 -> thr2 LDAP R port=33189 Bind Response Success
> thr2 -> 146.171.39.80 LDAP C port=33189 Unbind Request
>
> Here's my config:
>
> <Realm DEFAULT>
> PreAuthHook file:"/opt/radiator/realmprefix.pl"
> RewriteUsername s/\@ip\w\./\@/
> AcctLogFileName %L/accounting.%R
> WtmpFileName %L/wtmp.%R
> PasswordLogFileName %L/auth.%R
>
> <AuthBy LDAP2>
> Host 146.171.39.80
> Port 389
> # HoldServerConnection
> ServerChecksPassword
> SearchFilter
> (&(groupMembership=cn=%{GlobalVar:access},ou=servic
> es,ou=THR,ou=Applications,ou=spec,ou=customers,ou=Views,o=META)
> (uid=%U))
> BaseDN
> cn=%U,ou=%R,ou=external,ou=customers,ou=Views,o=META
> Scope base
> AuthDN cn=THRRadius,o=META
> AuthPassword xxxx
> AuthAttrDef aaareply,GENERIC,reply
> Version 3
> Debug 255
> NoDefault
>
> # This is the LDAP attribute to match the radius user
> name
> UsernameAttr uid
> AddToReply Framed-Protocol = PPP,Service-Type =
> Framed,NAS-Port
> -Type=%{NAS-Port-Type},NAS-IP-Address=%{NAS-IP-Address}
>
> </AuthBy>
> </Realm>
>
> Any thoughts?
>
> Thanks
>
> Campbell
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 266.5.2 - Release Date: 28/02/2005
>
>
> -----------------------------------------------------------------------
> -------
> "This communication, including any attachments, is confidential.
> If you are not the intended recipient, you should not read
> it - please contact me immediately, destroy it, and do not
> copy or use any part of this communication or disclose
> anything about it. Thank you. Please note that this
> communication does not designate an information system for
> the purposes of the Electronic Transactions Act 2002."
> -----------------------------------------------------------------------
> -------
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: I am travelling this week, so there may be delays in our
correspondence.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list