LDAP group query optimisation
Alan DeKok
aland at deployingradius.com
Thu Oct 13 15:42:27 CEST 2016
On Oct 13, 2016, at 9:38 AM, Brian Candler <b.candler at pobox.com> wrote:
>
> I am testing out freeradius with FreeIPA (= 389 directory server). This is freeradius-3.0.11 from Ubuntu 16.04, talking to FreeIPA under CentOS 7.
>
> The 389 directory server in FreeIPA has a "memberOf" plugin installed (by default), which exposes all the groups as part of the user record. For example:
...
> The problem is, whenever I touch the LDAP-Group attribute it triggers off a whole load of LDAP queries, one for each group, to translate the group DN to the cn.
Try the v3.0.x branch. It's largely v3, with a number of changes. One major one is LDAP group caching.
The LDAP module grabs all of the groups once, and then caches them along with the request. Subsequent LDAP group comparisons are done internally, and don't touch LDAP.
Alan DeKok.
More information about the Freeradius-Users
mailing list