search

SCS-CBU-CED-IAM / mobileid

Mobile ID Sample Scripts
http://mobile-id.ch
13 stars 5 forks source link

Bypass the rlm_exec timeout of 30 seconds #44

Closed FreddyKaiser closed 10 years ago

FreddyKaiser commented 10 years ago

freeRadius has taken our patch to avoid hardcoding of the timeout value for an exec process (was 10 seconds). This can now be configured in the corresponding module with the timeout value. The problem is that the maximum is limited to 30 seconds. Better but still not enough to for our MID requests as they are depending on the answer time of the enduser.

Possible options (ordered in estimated amount of effort): 1) Place a change request to freeradius to allow up to 120 seconds 2) Switch from rlm_exec to rlm_perl and call the bash mobileid-sign.sh script 3) Switch from rlm_exec to rlm_perl and write native perl script for mobileid 4) Write a native C rlm_mobileid module to avoid the use of rlm_exec 5) Switch to asynchron Mobile ID request and the polling as the radius protocol/clients should do retries

FreddyKaiser commented 10 years ago

At least for 2) and 3)

rlm_perl does not have any hardcoded timeout values. A call of sleep(120); does work without any problem

FreddyKaiser commented 10 years ago

1) Place a change request to freeradius to allow up to 120 seconds

From: "Kaiser Freddy, SCS-CBU-CED-IAM" freddy.kaiser@swisscom.com Subject: freeRadius - rlm_exec timeout Date: 30 Dec 2013 13:02:25 GMT+1 To: Philipp Hug philipp.hug@abacus.ch

Hoi Philipp,

Erinnerst du dich noch an http://lists.freeradius.org/pipermail/freeradius-devel/2012-September/007047.html

Also jetzt ist es möglich den timeout zu setzen, leider ist da immer noch ein check drinnen im Bezug auf Maximum. Siehe ab Zeile 280 in https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_exec/rlm_exec.c

Könntest du da nochmals nachhaken und dieses Maximum wegnehmen lassen (oder auf 120 erlauben) ? Am einfachsten so etwas: / * Get the time to wait before killing the child / if (!inst->timeout) { inst->timeout = EXEC_TIMEOUT; } if (inst->timeout < 1) { inst->timeout = EXEC_TIMEOUT; }

Zur Info: in allen anderen Modulen gibt es keine solche Limiten; siehe mod_perl, mod_ldap ..

FreddyKaiser commented 10 years ago

From: Alan DeKok notifications@github.com Subject: Re: [freeradius-server] exec_timeout patch (#453) Date: 31 Jul 2014 09:48:42 GMT+2

Sure. Submit a patch to make it depend in max_request_time

On Jul 31, 2014, at 9:35 AM, Freddy Kaiser notifications@github.com wrote:

In regards to the "Timeout is too large", Maximum 30 respectively 10. Would it be possible to set this not statically/hardcoded but to a configuration value too? or be taken out of max_request_time (see radiusd.conf)

https://github.com/FreeRADIUS/freeradius-server/pull/453#issuecomment-50727301

FreddyKaiser commented 10 years ago

Moved into the new/separate freeradius-mobileid project