Efficient AD group matching via the new wbclient interface

Alan DeKok aland at deployingradius.com
Tue Feb 13 15:07:12 CET 2018


On Feb 10, 2018, at 10:22 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> I am working on improving AD group matching for mschap authentication,
> taking advantage of the new wbclient direct interface which returns
> the user's token (including group membership SIDs) as part of NTLM
> authentication.
> 
> Work in progress:
> https://github.com/frenche/freeradius-server/commit/9af7dfd634a251f68b07064603ccbbca308492bf

  It looks good.

> I'm now thinking on how to implement the caching of group-name to SID
> mapping with configurable timeout, ideally using existing interface -
> ideas welcome.

  The "cache" module should be able to do that.  My $0.02 is to just create the mappings, and let the rest of the policies decide what to cache (or not).

> @mcnewton, I noticed at last there is a similar group-compare function
> in v4 branch, though I think the two actually can complete each other.

  I'd like Matthew's comments, too.

  Alan DeKok.




More information about the Freeradius-Users mailing list