unlang and optimization

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Apr 25 23:23:21 CEST 2013 

On 25 Apr 2013, at 14:32, Jason 'XenoPhage' Frisvold <xenophage at godshell.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Greetings,
> 
> 	I'm looking for some information on optimizing some of the
> configuration I've made in my freeradius 2.2.0 installation.
> Specifically, I need to set a variable based on the LDAP Group
> membership of a user.  I'm doing this in the post-auth section at the
> moment, which I think is correct.  The syntax I'm using is as follows :
> 
> if (LDAP-Group == "cn=violations,ou=groups,o=mycorp") {
>   update request {
>      Tmp-String-0 := "VIOLATORS"
>   }
> }
> elsif (LDAP-Group == "cn=guests,ou=groups,o=mycorp") {
>   update request {
>      Tmp-String-0 := "GUEST"
>   }
> }
> 
> 	This seems to work fine, but I'm not sure if this is the right way to
> go about it.  LDAP is getting a query for each if statement which
> seems a little much?

Yes it is.

>  Is there a way to have the full memberOf list
> sent back to RADIUS in one shot and then have it processed internally
> without having to beat up LDAP?
> 

Yes. In FreeRADIUS master branch. You can also do nice things like cache group membership.

> 	I had tried to use a switch/case statement to do this as well, but
> that doesn't seem to work.

No. That won't work at all.

>  Two questions here.  First, is switch/case
> better to use for this or is it functionally equivalent to the
> if/elsif statement?

No and No.

>  And second, the syntax I used is below.. Did I do
> something wrong, or is this not supported?

Not supported, and won't be supported. Overloading of attributes like this is slated for deprecation in 3.0/1, at which point we'll just standardise on xlat function calls for all the comparisons.

> switch LDAP-Group {
>   case "cn=violations,ou=groups,o=mycorp" {
>      update request {
>         Tmp-String-0 := "VIOLATORS"
>      }
>   }
>   case "cn=guests,ou=groups,o=mycorp" {
>      update request {
>         Tmp-String-0 := "GUEST"
>      }
>   }
> }


-Arran

Arran Cudbard-Bell <a.cudbardb at freeradius.org>
FreeRADIUS Development Team

More information about the Freeradius-Users mailing list