From: Matthew Newton Date: Tue, 15 Oct 2013 21:40:51 +0000 (+0100) Subject: add ntlm_auth_timeout option to rlm_mschap X-Git-Tag: release_3_0_1~366 X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;h=2593d05c46474278f44f141ee29be2ebae07dc5d;p=freeradius.git add ntlm_auth_timeout option to rlm_mschap --- diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap index e496ccc..2170df1 100644 --- a/raddb/mods-available/mschap +++ b/raddb/mods-available/mschap @@ -57,6 +57,15 @@ mschap { # # ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}" + # The default is to wait 10 seconds for ntlm_auth to + # complete. This is a long time, and if it's taking that + # long then you likely have other problems in your domain. + # The length of time can be decreased with the following + # option, which can save clients waiting if your ntlm_auth + # usually finishes quicker. Range 1 to 10 seconds. + # +# ntlm_auth_timeout = 10 + passchange { # This support MS-CHAPv2 (not v1) password change # requests. See doc/mschap.rst for more IMPORTANT diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c index ae3ecb8..5f5bf09 100644 --- a/src/modules/rlm_mschap/rlm_mschap.c +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -144,6 +144,7 @@ typedef struct rlm_mschap_t { int with_ntdomain_hack; /* this should be in another module */ char const *xlat_name; char *ntlm_auth; + int ntlm_auth_timeout; char *ntlm_cpw; char *ntlm_cpw_username; char *ntlm_cpw_domain; @@ -554,6 +555,8 @@ static const CONF_PARSER module_config[] = { offsetof(rlm_mschap_t,with_ntdomain_hack), NULL, "yes" }, { "ntlm_auth", PW_TYPE_STRING_PTR, offsetof(rlm_mschap_t, ntlm_auth), NULL, NULL }, + { "ntlm_auth_timeout", PW_TYPE_INTEGER, + offsetof(rlm_mschap_t, ntlm_auth_timeout), NULL, NULL }, { "passchange", PW_TYPE_SUBSECTION, 0, NULL, (void const *) passchange_config }, { "allow_retry", PW_TYPE_BOOLEAN, offsetof(rlm_mschap_t, allow_retry), NULL, "yes" }, @@ -594,6 +597,23 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance) inst->auth_type = inst->xlat_name; } + /* + * Check ntlm_auth_timeout is sane + */ + if (!inst->ntlm_auth_timeout) { + inst->ntlm_auth_timeout = EXEC_TIMEOUT; + } + if (inst->ntlm_auth_timeout < 1) { + cf_log_err_cs(conf, "ntml_auth_timeout '%d' is too small (minimum: 1)", + inst->ntlm_auth_timeout); + return -1; + } + if (inst->ntlm_auth_timeout > 10) { + cf_log_err_cs(conf, "ntlm_auth_timeout '%d' is too large (maximum: 10)", + inst->ntlm_auth_timeout); + return -1; + } + return 0; } @@ -1058,7 +1078,7 @@ static int do_mschap(rlm_mschap_t *inst, * Run the program, and expect that we get 16 */ result = radius_exec_program(request, inst->ntlm_auth, true, true, - buffer, sizeof(buffer), EXEC_TIMEOUT, + buffer, sizeof(buffer), inst->ntlm_auth_timeout, NULL, NULL); if (result != 0) { char *p;