https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162014-01-07T04:59:20ZpfSense bugtrackerpfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=129802014-01-07T04:59:20ZRenato Botelhorenato@netgate.com
<ul></ul><p>On pfSense 2.2 you will be able to revert GUI auth backend to Local Database on the same option you use to restore GUI password on console. See <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: Add a means for reverting GUI auth backend to Local Database from the console (Resolved)" href="https://redmine.pfsense.org/issues/3341">#3341</a></p>
<p>I'm not sure if there is something better we could provide to help on this.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=129842014-01-07T07:39:18ZJim Pingle
<ul></ul><p>It seems like maybe the authentication fallback that allows a person to login using local auth when their LDAP server isn't available should be remembering the decision once per session instead of once per page load. Once the user is authenticated it shouldn't need to hit the LDAP server for every subsequent pageload like it appears to be doing.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=149722014-10-02T18:51:36ZAdam Esslingeradamesslinger@gmail.com
<ul></ul><p>It would also be nice if it supported multiple LDAP servers. In an AD environment there are multiple directory servers, so it would be nice if pfSense supported either querying for the directory servers or where you could add 2-4 additional servers to query. In addition pfsense should only query once per session upon logon instead of querying for each page.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=149732014-10-02T19:18:26ZAdam Esslingeradamesslinger@gmail.com
<ul></ul><p>Another option would be to add an authentication realm drop down to the login page, like you would get on a windows machine when its joined to Active Directory. (username, password, authentication realm)</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=165562015-01-09T09:38:28ZRobert Middleswarthrobert@middleswarth.net
<ul></ul><p>Renato Botelho being able to revert to local DB is a useful workaround compared to the current process of having to edit the config or taking 30 min to go though the webpages but wouldn't a better fix be to either setup ldap so if it failed during login it doesn't try on ever page or as someone suggested if you have radius or ldap defined add a 3rd option when logging in auth source of local DB and auth name.</p>
<p>Thanks<br />Robert</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=198132015-08-12T11:41:50ZJim Pingle
<ul><li><strong>Category</strong> set to <i>User Manager / Privileges</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.3</i></li><li><strong>Affected Architecture</strong> <i>All</i> added</li><li><strong>Affected Architecture</strong> deleted (<del><i></i></del>)</li></ul><p>Looks like the problem here is due to the way LDAP groups are obtained. The GUI does not cache the obtained LDAP group info in $_SESSION but rather performs a new search/query/bind on each page load to determine the LDAP groups, which will slow down a lot if the LDAP server is unreachable.</p>
<p>One option is to cache the group info at login. It would cut down on the number of LDAP queries performed by the GUI and eliminate this issue. The downside to that is if the LDAP user is removed (e.g. user was terminated) then they could still keep accessing pages as long as their session is active. With the current method they would be rejected once the account was removed. At the moment that's also how local users work, but not RADIUS (See <a class="issue tracker-2 status-3 priority-4 priority-default closed" title="Feature: User manager RADIUS authentication method (Resolved)" href="https://redmine.pfsense.org/issues/935">#935</a>)</p>
<p>If the info is not cached then the fact that the auth server was unavailable could be noted in $_SESSION so that future page loads would not continuously attempt to access it and would keep using local auth.</p>
<p>Either way this should be a fairly easy change to make for 2.3.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=198152015-08-12T11:45:37ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Web GUI no more available if a defined ldap server is no more available</i> to <i>Web GUI becomes slow or unusable if the LDAP server is unreachable</i></li></ul> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=198162015-08-12T11:52:18ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Web GUI becomes slow or unusable if the LDAP server is unreachable</i> to <i>Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachable</i></li></ul> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=198222015-08-13T11:53:13ZJim Pingle
<ul></ul><p>PHP's LDAP library has a network timeout now and that seemed like a good choice that wouldn't increase complexity or compromise security. I pushed a change to add the field to RELENG_2_2 but the commit will need to be replicated on master after the bootstrap merge, so this needs to stay open.</p>
<p>The timeout defaults to 25 seconds (current timeout is ~1m20sec) and if this happens to someone a lot, lowering to 10 seconds isn't a bad move. Things would still be sluggish, but usable.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=206202015-09-14T13:10:11ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Provide an LDAP server timeout field. Default to 25 seconds. Resolves #3383" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/d6b4dfe36b2be8b71df733823bb7ffe552300676">d6b4dfe36b2be8b71df733823bb7ffe552300676</a>.</p> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=211952015-09-25T18:21:57ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Affected Version</strong> changed from <i>2.1</i> to <i>All</i></li></ul> pfSense - Bug #3383: Web GUI becomes slow or unusable if the LDAP server used for GUI auth is unreachablehttps://redmine.pfsense.org/issues/3383?journal_id=224012015-11-13T12:46:45ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>I've tested this on 2.2 and again now on 2.3, I think this is as close as we're going to get. With the server timeout set reasonably low (e.g. 10s) the GUI is a little sluggish but not unusable like before.</p>