El 21/02/17 a las 18:21, Adam Bishop escribió:
> On 21 Feb 2017, at 07:14, Alejandro Pérez Méndez <[log in to unmask]> wrote:
>> What it seems to be happening is the following. IDP2 uses the sqlite database for two purposes: 1) to check the existence of the TLS PSK key to establish a socket with IDP1, and 2) to authorize the use of that key by the RP ... but this does not always happen. When IDP2 creates a TLS socket with IDP1, it persists for a while (I guess for performance reasons). As the socket references the TLS Identity ("key-1c224f"), the TLS channel creation will be authorized as long as the socket is alive (no matter what the DB says). However, authorization of the key (done later on IDP2) always uses the sqlite database. Hence, under high load (something that we could expect in the future), the socket never expires, having "key-1c224f" recognized as a valid TLS key for channel establishment, but since it already expired, IDP2 will not authenticate the user and say "RP is not authorized". Note that under this error, IDP1 does not disposes the dynamic REALM, so subsequent authentications will still try to use "key-1c224f".
> So, we need to add in a maximum lifetime for radsec connections.
Indeed that's exactly what's required.
>
> There is a lifetime configured for inbound connections, we can see if that's exposed for outbound connections too.
You can assign lifetime to inbound (clients) connections, but by default
it is set to 0 (infinite) and they are not set from the data in the
database.
Regards
>
> Regards,
>
> Adam Bishop
> Senior Infrastructure and Systems Architect
>
> gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460
> t: +44 (0)1235 822 245
> xmpp: [log in to unmask]
>
> jisc.ac.uk
>
> Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.
>
> Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
|