ODP: Microsoft AD group check

Marek Smoliński marksmol at o2.pl
Sun Jan 12 20:40:38 CET 2020


One computer can only be in one group in AD unfortunately because of the high complexity of AD, delegations of permissions for AD administrators are so many groups.

I have cachable_name and cacheable_dn enabled, I may not be able to use it.

I've tried to follow the documentation. In post-auth:

    update control {
        Cache-Status-Only = 'yes'
    }
    cache
    if (notfound) {
        ldap
        if (LDAP-Group =~ /.*VLAN16_.*/) {
           update reply {
               ...
           }
        }
    }
    cache

I see a message in debug: Debug: No old matches

What am I doing wrong?

regards
Marek Smoliński

Od: Arran Cudbard-Bell
Wysłano: niedziela, 12 stycznia 2020 19:22
Do: FreeRadius users mailing list
Temat: Re: Microsoft AD group check


Agreed. Though you also need to make sure you've enabled tunnel reply attribute in the EAP module config.

A few other things.

Although there may be 800 groups it's very unlikely a user would be a member of all of them and LDAP would be returning a small subset.

Group checking with an LDAP query can in itself be inefficient if you're doing many group checks, as each check involves a roundtrip to the LDAP server.  What it's good for is checking a minimal number of group memberships which involve wildcard filter matches.

Depending on how many groups are returned for a user, and whether resolving group information requires additional lookups, it may be more efficient to use cachable_name or cacheable_dn to retrieve the complete list.  You'll then be able to use pattern matching on that list as specified in the answer to the stack overflow question you posted.

Please don't cross post when you've already received an answer somewhere else, it increases the net effort expended by the community to answer your question.

-Arran
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list