[RADIATOR] AuthByLSA group issue if DC controller is unavailable.
Heikki Vatiainen
hvn at open.com.au
Fri Apr 3 14:53:57 CDT 2015
On 04/03/2015 09:10 PM, Robert Fisher wrote:
> What comes to mind, is you could try commenting out the second if block
> and the references to $self->${controllers}{$domain} to force it to call the
> GetAnyDomainControllers each time.
>
> Two real issues with that approach...The first is that since I can't
> find the
> documentation for the underlying C library, I don't know if that search
> would include inactive DCs or not, and I don't have an AD environment
> to test it on directly.
I think here is the code that does the actual library call. The called C
library seems to be NetGetAnyDCName
http://cpansearch.perl.org/src/JDB/Win32-NetAdmin-0.13/NetAdmin.xs
Looks like there's nothing in NetGetAnyDCName documentation about the
controller being inactive or not. I'm not familiar with these API
functions, so I can not tell if it skips inactive controllers or not.
> The second issue is that it obviously pushes the processing time per
> request up; although hopefully not by much.
Configuration flag parameter LogMicroseconds could be useful here. Test
before and after the code change should show the time difference between
the log messages around the GetAnyDomainControllers call.
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list