Global User Blacklist
Phil Mayers
p.mayers at imperial.ac.uk
Tue Jul 31 15:02:58 CEST 2012
On 31/07/12 13:47, David Aldwinckle wrote:
> Hi Phil,
>
> I tried a test where I commented out "ldap" from the inner tunnel and it appears that you are correct.
>
> I had thought that I would need to "load" the module for the LDAP-Group to be populated.
It's a common misconception, and in some ways I wish it were more
obvious that this isn't the case. But as I say, the attribute is a
"virtual" one, and comparisons are executed by a handler that
dynamically does the query, as opposed to a list of groups.
Same thing for SQL-Group and (IIRC) the huntgroup attributes.
This can be relevant if you want to do a lot of group comparisons e.g.
if (Ldap-Group = abc123) {
..
}
elsif (Ldap-Group == def456) {
...
}
...involves two LDAP directory searches. This can get slow with a lot of
groups, for which there are various solutions.
More information about the Freeradius-Users
mailing list