#
# ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
+ # The default is to wait 10 seconds for ntlm_auth to
+ # complete. This is a long time, and if it's taking that
+ # long then you likely have other problems in your domain.
+ # The length of time can be decreased with the following
+ # option, which can save clients waiting if your ntlm_auth
+ # usually finishes quicker. Range 1 to 10 seconds.
+ #
+# ntlm_auth_timeout = 10
+
passchange {
# This support MS-CHAPv2 (not v1) password change
# requests. See doc/mschap.rst for more IMPORTANT
int with_ntdomain_hack; /* this should be in another module */
char const *xlat_name;
char *ntlm_auth;
+ int ntlm_auth_timeout;
char *ntlm_cpw;
char *ntlm_cpw_username;
char *ntlm_cpw_domain;
offsetof(rlm_mschap_t,with_ntdomain_hack), NULL, "yes" },
{ "ntlm_auth", PW_TYPE_STRING_PTR,
offsetof(rlm_mschap_t, ntlm_auth), NULL, NULL },
+ { "ntlm_auth_timeout", PW_TYPE_INTEGER,
+ offsetof(rlm_mschap_t, ntlm_auth_timeout), NULL, NULL },
{ "passchange", PW_TYPE_SUBSECTION, 0, NULL, (void const *) passchange_config },
{ "allow_retry", PW_TYPE_BOOLEAN,
offsetof(rlm_mschap_t, allow_retry), NULL, "yes" },
inst->auth_type = inst->xlat_name;
}
+ /*
+ * Check ntlm_auth_timeout is sane
+ */
+ if (!inst->ntlm_auth_timeout) {
+ inst->ntlm_auth_timeout = EXEC_TIMEOUT;
+ }
+ if (inst->ntlm_auth_timeout < 1) {
+ cf_log_err_cs(conf, "ntml_auth_timeout '%d' is too small (minimum: 1)",
+ inst->ntlm_auth_timeout);
+ return -1;
+ }
+ if (inst->ntlm_auth_timeout > 10) {
+ cf_log_err_cs(conf, "ntlm_auth_timeout '%d' is too large (maximum: 10)",
+ inst->ntlm_auth_timeout);
+ return -1;
+ }
+
return 0;
}
* Run the program, and expect that we get 16
*/
result = radius_exec_program(request, inst->ntlm_auth, true, true,
- buffer, sizeof(buffer), EXEC_TIMEOUT,
+ buffer, sizeof(buffer), inst->ntlm_auth_timeout,
NULL, NULL);
if (result != 0) {
char *p;