LDAP Group Membership

Josh Essar jessar at kvcc.edu
Fri Apr 25 19:41:15 CEST 2014


Alan DeKok wrote:

>   Don't use ridiculously complicated group memberships.

That is the approach I have decided to take. It's time to cleanup our group structure anyway.

>   The repeated rebinds mean that the information isn't in one LDAP
> directory, it's scattered across many directories.  i.e. Active Directory.
> 
>   Your design is *slow*.  Doing multiple binds just to discover a user
> is very problematic.
> 
>   You LDAP design is way too complicated.  The multiple LDAP directories
> and groups buried within groups makes it nearly impossible to create a
> working RADIUS system.
> 

Yes, we use Active Directory. I'm assuming it is an active directory
configuration change that will need to be made to reduce the number of
rebinds. Is there a configuration change I could make in freeradius to
make this process more efficient?

> 
>   Even if you do fix the group membership issue, the repeated LDAP
> searches will DESTROY performance.  You'll be lucky to get 10
> authentications per second out of it.

Would if be better to setup an openldap server and used that for
freeradius lookups? I had already thought about doing that when I
started this project.




More information about the Freeradius-Users mailing list