Prevent unnecessary checks with Ldap-Group in FR3
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Aug 27 17:56:07 CEST 2015
> On Aug 27, 2015, at 11:29 AM, Anja Ruckdaeschel <Anja.Ruckdaeschel at rz.uni-regensburg.de> wrote:
>
> Hi there,
>
> we are doing an Ldap-Group-Check for every login. The Group contains people who are not allowed to use radius-services.
> So 98% of the Users are NOT in the Group.
>
> FR3 first searches in the Group for the Login-User, if he finds nothing he then checks all the groups a user is member of in reverse,
> which can be a lot at our site.
If you gave the ldap module a value for group.membership_attribute, it's going to check all the values of that attribute found in the user object. If you don't want it to check membership attributes comment out group.membership_attribute.
If the format of the group you're trying to find is the same as the membership_attribute value i.e. your group is a DN and the value is a DN, then rlm_ldap will not hit the LDAP directory for each of these checks, so it just ends up being a memcmp (very fast even for 50 groups).
The only time this is an issue is is one is a DN and the other is a name, then each group membership requires a search to get both operands in the same format.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20150827/ae763023/attachment.sig>
More information about the Freeradius-Users
mailing list