Optimizing ldap queries to AD using users file on freeradius 2.1.12

Luis Písco lrodrig at ualg.pt
Fri Feb 10 18:53:30 CET 2012 

Hello,

 

I’m trying to minimize ldap queries to Active directory do to heavy load on
DC. 

 

--------------------------------------------

1º - Change query on LDAP module to not search group of group

 

Accomplish using on ldap:

                filter = "(samaccountname=%{Stripped-User-Name})"

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                groupname_attribute = cn

                groupmembership_filter =
"(objectClass=Group)(member=%{check:Ldap-UserDn})"

 

--------------------------------------------

2º - Do only one LDAP query for every type

I have several campus and several vlan assignment on each campus.

 

So I have for example this check items on users file:

 

DEFAULT Huntgroup-Name == "gambelas",ldapnaodocentes-Ldap-Group =="Nao
Docentes"

                Tunnel-Private-Group-ID := 302,

                


 

DEFAULT Huntgroup-Name == "gambelas",ldapnaodocentes-Ldap-Group ==
"e-U-InternoComoExterno"

                Tunnel-Private-Group-ID := 304,

                


 

DEFAULT Huntgroup-Name == "Penha",ldapnaodocentes-Ldap-Group =="Nao
Docentes"

                Tunnel-Private-Group-ID := 602,

                


And so on
.

If the user is on last campus, it will query the AD several times for the
same group query because even if Huntgroup-Name don’t match, it will run the
ldap query of the same check line.

 

So I tried this with no success:

 

DEFAULT ldapnaodocentes-Ldap-Group =="Nao Docentes"

                Tunnel-Type := "VLAN", Tunnel-Medium-Type := "IEEE-802",

                My-Group:=2,

                Fall-Through = Yes

 

DEFAULT Huntgroup-Name == "gambelas", My-Group==2

                Tunnel-Private-Group-ID := 302,

                Reply-Message = " eduroam Gambelas Nao Docente Vlan 302!",

 

DEFAULT Huntgroup-Name == "penha", My-Group==2

                Tunnel-Private-Group-ID := 602,

                Reply-Message = " eduroam Penha Nao Docente Vlan 602!",

 

But the My-Group==2 is not evaluated.

 

It is not possible to assign a value to an item and use it later on the
users file?

 

--------------------------------------------

3º - Several group have the same vlan so i can create a group of groups on
AD and do the search by that group.

The problem is that it search if every group the user belong. If the user
have 20 group on AD and have to check for 10 group is users file, it will do
200 search.

The field tokenGroups on user AD have all the group and group of group for
the user, but have a list of SID and not the DN of the group.

 

It is possible get the SID of the group instead of the DN to use to search
on tokenGroups field of the user AD?

 

--------------------------------------------

 

Tanks

Pisco

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20120210/8b6e24a2/attachment.html>

More information about the Freeradius-Users mailing list