As admin, I want to use slow radiusproxy so that communication does not time-out (in reasonable amount of time) before response.
kdc <-> ipa-otpd timeouts (currently ~5secs) and closes connection before remote radiusproxy could respond with access decision. For example, when radiusproxy is on slow network, some proprietary software, cloud service or is waiting for user response via 2FA.
There is a lack of description configuring time-outs in documentation [1]. Some hints could be found at [2]. Original poster suggests editing /var/kerberos/krb5kdc/kdc.conf and restarted krb5kdc service:
/var/kerberos/krb5kdc/kdc.conf
[otp] DEFAULT = { timeout = 120 retries = 0 strip_realm = false }
This allows to tune time-out according to one's needs.
ipa-server-4.5.0-22.el7.centos.x86_64
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/#migrating-proprietary-otp [2] https://www.redhat.com/archives/freeipa-users/2016-December/msg00235.html
Metadata Update from @slaykovsky: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1584749
An option would be to add this information in ipa help radiusproxy
ipa help radiusproxy
Metadata Update from @rcritten: - Issue tagged with: documentation
The documentation bugzilla has been fixed, the official doc now contains a section Changing the Timeout Value of a KDC When Running a RADIUS Server in a Slow Network. Hence closing this issue as fixed.
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.