Efficient AD group matching via the new wbclient interface
Isaac Boukris
iboukris at gmail.com
Tue Feb 13 17:05:02 CET 2018
On Tue, Feb 13, 2018 at 4:07 PM, Alan DeKok <aland at deployingradius.com> wrote:
>> I'm now thinking on how to implement the caching of group-name to SID
>> mapping with configurable timeout, ideally using existing interface -
>> ideas welcome.
>
> The "cache" module should be able to do that. My $0.02 is to just create the mappings, and let the rest of the policies decide what to cache (or not).
The mapping I am interested at is of group-name to SID, which is
relevant to *any* user and not related to what the AD-Group compare
function actually does.
I didn't figure yet how to use the cache module for that.
Note that this cache will only miss if the group-name is changed, as
that's what we cache, not if the user stops being a member (or if the
group moves in the tree).
So I think we can recommend long timeout by default.
More information about the Freeradius-Users
mailing list