(RADIATOR) LDAP, Radiator and Single Threads

Hugh Irvine hugh at open.com.au
Tue Sep 27 01:20:14 CDT 2005


Hello Steve -

What most people do is run multiple hosts, each with two instances of  
Radiator, one for authentication and the other for accounting. A load- 
balancer is put in front to distribute the Radius requests.

In your situation however, the problem is clearly the LDAP server,  
and if you can't change the LDAP server I suggest you export the  
username/password pairs to a flat file on a periodic basis (nightly?)  
and configure Radiator to use the flat file. Radiator will cache the  
flat file in memory and you will find that the performance is  
excellent. You could also write your own custom AuthBy module to read  
the username/password pairs from the LDAP server into memory at  
startup, and thereafter only access the in-memory data.

Note that even if Radiator was multi-threaded, you would still end up  
in the same situation with all of the threads blocked in the same  
fashion.

regards

Hugh



On 27 Sep 2005, at 15:45, Steve Phillips wrote:

> Hey There,
>
> We are experiencing some interesting behaviour when performing LDAP  
> queries with Radiator.
>
> When a user Authenticates we query an LDAP database to check the  
> username/password.
>
> If the user password is incorrect the LDAP server waits for three  
> seconds before it sends the Reject back - This is a policy that is  
> designed to prevent brute force attempts and sadly we are unable to  
> change the policy.
>
> As such, it appears that the Radiator process blocks until it gets  
> the reply from LDAP which means it stops servicing requests for  
> three seconds
>
> This in turn leads to a Denial of service of a sort every time  
> someone uses an incorrect username/password pair.
>
> We are assuming that this is due to Radiator being run as a single  
> threaded process, would this be correct ? and if so, how would we  
> solve this problem ?
>
> -- 
> Steve.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list