add ntlm_auth_timeout option to rlm_mschap

diff --git a/raddb/mods-available/mschap b/raddb/mods-available/mschap
index e496ccc..2170df1 100644 (file)
--- a/raddb/mods-available/mschap
+++ b/raddb/mods-available/mschap
@@ -57,6 +57,15 @@ mschap {
        #
 #      ntlm_auth = "/path/to/ntlm_auth --request-nt-key --username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} --challenge=%{%{mschap:Challenge}:-00} --nt-response=%{%{mschap:NT-Response}:-00}"
 
+       # The default is to wait 10 seconds for ntlm_auth to
+       # complete.  This is a long time, and if it's taking that
+       # long then you likely have other problems in your domain.
+       # The length of time can be decreased with the following
+       # option, which can save clients waiting if your ntlm_auth
+       # usually finishes quicker. Range 1 to 10 seconds.
+       #
+#      ntlm_auth_timeout = 10
+
        passchange {
                # This support MS-CHAPv2 (not v1) password change
                # requests.  See doc/mschap.rst for more IMPORTANT

diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
index ae3ecb8..5f5bf09 100644 (file)
--- a/src/modules/rlm_mschap/rlm_mschap.c
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -144,6 +144,7 @@ typedef struct rlm_mschap_t {
        int with_ntdomain_hack; /* this should be in another module */
        char const *xlat_name;
        char *ntlm_auth;
+       int ntlm_auth_timeout;
        char *ntlm_cpw;
        char *ntlm_cpw_username;
        char *ntlm_cpw_domain;
@@ -554,6 +555,8 @@ static const CONF_PARSER module_config[] = {
          offsetof(rlm_mschap_t,with_ntdomain_hack), NULL, "yes" },
        { "ntlm_auth",   PW_TYPE_STRING_PTR,
          offsetof(rlm_mschap_t, ntlm_auth), NULL,  NULL },
+       { "ntlm_auth_timeout",   PW_TYPE_INTEGER,
+         offsetof(rlm_mschap_t, ntlm_auth_timeout), NULL,  NULL },
        { "passchange", PW_TYPE_SUBSECTION, 0, NULL, (void const *) passchange_config },
        { "allow_retry",   PW_TYPE_BOOLEAN,
          offsetof(rlm_mschap_t, allow_retry), NULL,  "yes" },
@@ -594,6 +597,23 @@ static int mod_instantiate(CONF_SECTION *conf, void *instance)
                inst->auth_type = inst->xlat_name;
        }
 
+       /*
+        *      Check ntlm_auth_timeout is sane
+        */
+       if (!inst->ntlm_auth_timeout) {
+               inst->ntlm_auth_timeout = EXEC_TIMEOUT;
+       }
+       if (inst->ntlm_auth_timeout < 1) {
+               cf_log_err_cs(conf, "ntml_auth_timeout '%d' is too small (minimum: 1)",
+                             inst->ntlm_auth_timeout);
+               return -1;
+       }
+       if (inst->ntlm_auth_timeout > 10) {
+               cf_log_err_cs(conf, "ntlm_auth_timeout '%d' is too large (maximum: 10)",
+                             inst->ntlm_auth_timeout);
+               return -1;
+       }
+
        return 0;
 }
 
@@ -1058,7 +1078,7 @@ static int do_mschap(rlm_mschap_t *inst,
                 *      Run the program, and expect that we get 16
                 */
                result = radius_exec_program(request, inst->ntlm_auth, true, true,
-                                            buffer, sizeof(buffer), EXEC_TIMEOUT,
+                                            buffer, sizeof(buffer), inst->ntlm_auth_timeout,
                                             NULL, NULL);
                if (result != 0) {
                        char *p;