summaryrefslogtreecommitdiffstats
path: root/raddb/mods-available/cache_auth
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--raddb/mods-available/cache_auth116
1 files changed, 116 insertions, 0 deletions
diff --git a/raddb/mods-available/cache_auth b/raddb/mods-available/cache_auth
new file mode 100644
index 0000000..7485f36
--- /dev/null
+++ b/raddb/mods-available/cache_auth
@@ -0,0 +1,116 @@
+# -*- text -*-
+#
+# $Id$
+
+# This file contains a collection of cache module configurations
+# which have been designed to be used to cache accepts, rejects, and
+# LDAP User DNs. The main use of these modules is Google Secure
+# LDAP.
+#
+# In scenarios where there is repeated authentication requests for the same
+# user within a short time frame (e.g. 802.1x wifi), these modules can help to
+# compensate for slow responses from poor LDAP servers (i.e. Google).
+#
+# See also mods-available/ldap_google, and sites-available/google-ldap-auth.
+#
+# The configurations in this file can be used for non-Google LDAP
+# servers, too.
+#
+
+
+#
+# This instance of the cache module caches successful
+# authentications.
+#
+# The TTL controls how often the authentication will be cached.
+#
+# In addition, if group membership is used as part of the policy, the
+# &control:LDAP-Group attribute should be added to the "update: section here.
+#
+# If a user's authentication is found in the cache, then any data
+# which is normally retrieved from LDAP for local policies must also
+# be stored in the cache via the "update" section.
+#
+cache cache_auth_accept {
+ driver = "rlm_cache_rbtree"
+ key = "%{md5:%{%{Stripped-User-Name}:-%{User-Name}}%{User-Password}}"
+ ttl = 7200
+ update {
+ #
+ # We need to cache something, so we just cache
+ # a random attribute. This attribute is not used
+ # for anything else, just as a "place-holder" to
+ # contain a cache entry.
+ #
+ # If you add other attributes to this update section, then
+ # this attribute can be deleted.
+ #
+ &control:User-Category = "success"
+ }
+}
+
+
+#
+# This instance of the cache module caches failed authentications.
+#
+# In many cases, rejected users will repeatedly try to authenticate.
+# These repeated authentication attempts can cause significant load
+# on the system. By caching the reject, we can avoid hitting the database.
+#
+# We index the cache by a hash of the client's MAC and the user name
+# and password. If a user corrects their user name or password, then
+# that authentication attempt won't hit the cache, and their
+# credentials will be immediately checked against the database.
+#
+# The TTL controls how long a combination of device / user and
+# password wil be rejected without looking at the database. Once the
+# cache entry expires, the server will delete the cache entry, and
+# contact the database.
+#
+cache cache_auth_reject {
+ driver = "rlm_cache_rbtree"
+ key = "%{md5:%{Calling-Station-Id}%{Stripped-User-Name}%{User-Password}}"
+ ttl = 3600
+ update {
+ #
+ # We need to cache something, so we just cache
+ # a random attribute. This attribute is not used
+ # for anything else, just as a "place-holder" to
+ # contain a cache entry.
+ #
+ &control:User-Category = "failure"
+ }
+}
+
+
+#
+# An instance of the cache module which caches the LDAP user DN.
+#
+# If LDAP authentication is being used for a simple auth / reject without
+# any need to retrieve other attributes (e.g. group membership), each LDAP
+# bind authentication is three steps
+#
+# - bind as admin user
+# - lookup user's DN
+# - bind as user using retrieved DN
+#
+# By caching the DN after the first LDAP querry, the first two steps
+# are skipped on subsequent authentications.
+#
+# If an alternative attribute name is being used for the user DN, you
+# should change the update section here appropriately. But that is
+# likely rare.
+#
+# In scenarios where DNs may change, consideration should be given as
+# to whether use of this cache may create issues. i.e. if the cache
+# doesn't help, then don't use it.
+#
+cache cache_ldap_user_dn {
+ driver = "rlm_cache_rbtree"
+ key = "%{Stripped-User-Name}"
+ ttl = 86400
+ update {
+ &control:LDAP-UserDN = &control:LDAP-UserDN
+ }
+}
+