LDAP search failed(timeout) with FreeRADIUS LDAP module

發表於 分類於

當環境是使用Active Directory,且 domain 不只有一個的時候,就蠻常遇到以下狀況:

1
2
Bind successful
WARNING Search failed: Time out while waiting for server to respond. Got new socket, retrying...

Freeradius log顯示admin bind為成功,但是要做ldap search卻failed(timeout)

mods-available/ldap設定檔中可以看到官方說明

1
2
3
4
5
6
7
8
9
10
11
12
13
14
options {
        ...
        #
        #  The following two configuration items control whether the
        #  server follows references returned by LDAP directory.
        #  They are  mostly for Active Directory compatibility.
        #  If you set these to 'no', then searches will likely return
        #  'operations error', instead of a useful result.
        #
        chase_referrals = yes
        rebind = yes

...
}

這兩個參數可以加強Active Directory的相容性,但是chase_referrals多網域的環境底下反而會造成ldap查詢逾時。

所以可在options裡面加入chase_referrals = no這個參數。

1
2
3
4
5
6
7
8
9
10
11
12
13
ldap win-AD {
    server = 'winad.local'
    identity = 'cn=admin,dc=winad,dc=local'
    password = '<admin password>'
    base_dn = 'dc=winad,dc=local'
    user {
        base_dn = "${..base_dn}"
        filter = "(cn=%{%{Stripped-User-Name}:-%{User-Name}})"
    }
    options {
        chase_referrals = no
    }
}

這樣查詢就會恢復正常。