LDAP Group Membership
Josh Essar
jessar at kvcc.edu
Fri Apr 25 19:41:15 CEST 2014
Alan DeKok wrote:
> Don't use ridiculously complicated group memberships.
That is the approach I have decided to take. It's time to cleanup our group structure anyway.
> The repeated rebinds mean that the information isn't in one LDAP
> directory, it's scattered across many directories. i.e. Active Directory.
>
> Your design is *slow*. Doing multiple binds just to discover a user
> is very problematic.
>
> You LDAP design is way too complicated. The multiple LDAP directories
> and groups buried within groups makes it nearly impossible to create a
> working RADIUS system.
>
Yes, we use Active Directory. I'm assuming it is an active directory
configuration change that will need to be made to reduce the number of
rebinds. Is there a configuration change I could make in freeradius to
make this process more efficient?
>
> Even if you do fix the group membership issue, the repeated LDAP
> searches will DESTROY performance. You'll be lucky to get 10
> authentications per second out of it.
Would if be better to setup an openldap server and used that for
freeradius lookups? I had already thought about doing that when I
started this project.
More information about the Freeradius-Users
mailing list