LDAP Group Membership

Arran Cudbard-Bell a.cudbardb at freeradius.org
Fri Apr 25 15:23:02 CEST 2014


On 25 Apr 2014, at 14:00, Phil Mayers <p.mayers at imperial.ac.uk> wrote:

> On 25/04/14 12:11, Arran Cudbard-Bell wrote:
> 
>> Again 'Woha'.
>> 
>> AD allows bitwise filters?! That's pretty cool.
>> 
>> Someone with AD want to test and see if it allows the string form?
> 
> Not sure what you mean by "string form". You can definitely do a plain old LDAP query with that syntax.

:1.2.840.113556.1.4.1941: == :LDAP_MATCHING_RULE_IN_CHAIN:

Just the OID is quite opaque...


> Couple of things to note - the "find all groups a user is in" form is *very* slow for me. The "find if a user is in a group" requires a base DN search against the user object, just like the tokenGroups magic attribute (I assume it does the same thing under the hood).

OK

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 881 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20140425/320908d1/attachment.pgp>


More information about the Freeradius-Users mailing list