Prevent unnecessary checks with Ldap-Group in FR3

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Thu Aug 27 17:29:30 CEST 2015 

Hi there,

we are doing an Ldap-Group-Check for every login. The Group contains people who are not allowed to use radius-services.
So 98% of the Users are NOT in the Group.

FR3 first searches in the Group for the Login-User, if he finds nothing he then checks all the groups a user is member of in reverse, 
which can be a lot at our site.

I know, there are directories who do not impelement backreferences for user-groups, but e.g. with eDirectory it's just not necessary.
So I wonder if there is  a way to prevent this behavior with a config param I missed until know in FR3 ldap module config,
so FR just stops after not finding the user in the group?


Thu Aug 27 17:08:20 2015 : Debug: (7)       policy rzur.radiusrejectcheckinner {
Thu Aug 27 17:08:20 2015 : Debug: (7)         if (Stripped-User-Name  =~ /^[a-zA-Z]{3}[0-9]{5}$/ ) {
Thu Aug 27 17:08:20 2015 : Debug: No matches
Thu Aug 27 17:08:20 2015 : Debug: Adding 1 matches
Thu Aug 27 17:08:20 2015 : Debug: (7)         if (Stripped-User-Name  =~ /^[a-zA-Z]{3}[0-9]{5}$/ )  -> TRUE
Thu Aug 27 17:08:20 2015 : Debug: (7)         if (Stripped-User-Name  =~ /^[a-zA-Z]{3}[0-9]{5}$/ )  {
Thu Aug 27 17:08:20 2015 : Debug: (7)           if (Ldap-Group == "cn=radiusreject,ou=myou,o=myo,c=de") {
Thu Aug 27 17:08:20 2015 : Debug: (7)           Searching for user in group "cn=radiusreject,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Connecting to ldap://ldap.example.com.de:389
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): New libldap handle 0x7f0e35c87c50
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Waiting for bind result...
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Bind successful
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Reserved connection (0)
Thu Aug 27 17:08:20 2015 : Debug: (7)           EXPAND TMPL XLAT
Thu Aug 27 17:08:20 2015 : Debug: (&(objectClass=inetOrgPerson)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
Thu Aug 27 17:08:20 2015 : Debug: Parsed xlat tree:
Thu Aug 27 17:08:20 2015 : Debug: literal --> (&(objectClass=inetOrgPerson)(uid=
Thu Aug 27 17:08:20 2015 : Debug: if {
Thu Aug 27 17:08:20 2015 : Debug:       attribute --> Stripped-User-Name
Thu Aug 27 17:08:20 2015 : Debug: }
Thu Aug 27 17:08:20 2015 : Debug: else {
Thu Aug 27 17:08:20 2015 : Debug:       attribute --> User-Name
Thu Aug 27 17:08:20 2015 : Debug: }
Thu Aug 27 17:08:20 2015 : Debug: literal --> ))
Thu Aug 27 17:08:20 2015 : Debug: (7)           EXPAND (&(objectClass=inetOrgPerson)(uid=%{%{Stripped-User-Name}:-%{User-Name}}))
Thu Aug 27 17:08:20 2015 : Debug: (7)              --> (&(objectClass=inetOrgPerson)(uid=xxx12345))
Thu Aug 27 17:08:20 2015 : Debug: (7)           EXPAND TMPL LITERAL
Thu Aug 27 17:08:20 2015 : Debug: (7)           Performing search in "c=de" with filter "(&(objectClass=inetOrgPerson)(uid=xxx12345))", scope "sub"
Thu Aug 27 17:08:20 2015 : Debug: (7)           Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7)           User object found at DN "cn=xxx12345,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: (7)           Checking for user in group objects
Thu Aug 27 17:08:20 2015 : Debug: (&(objectClass=Group)(member=%{control:LDAP-UserDn}))
Thu Aug 27 17:08:20 2015 : Debug: Parsed xlat tree:
Thu Aug 27 17:08:20 2015 : Debug: literal --> (&(objectClass=Group)(member=
Thu Aug 27 17:08:20 2015 : Debug: attribute --> LDAP-UserDN
Thu Aug 27 17:08:20 2015 : Debug: literal --> ))
Thu Aug 27 17:08:20 2015 : Debug: (7)             EXPAND (&(objectClass=Group)(member=%{control:LDAP-UserDn}))
Thu Aug 27 17:08:20 2015 : Debug: (7)                --> (&(objectClass=Group)(member=cn\3dxxx12345\2cou\3dmyou\2co\3dmyo\2cc\3dde))
Thu Aug 27 17:08:20 2015 : Debug: (7)             Performing search in "cn=radiusreject,ou=myou,o=myo,c=de" with filter "(&(objectClass=Group)(member=cn\3dxxx12345\2cou\3dmyou\2co\3dmyo\2cc\3dde))", scope "sub"
Thu Aug 27 17:08:20 2015 : Debug: (7)             Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7)             Search returned no results
Thu Aug 27 17:08:20 2015 : Debug: (7)           Checking user object's groupMembership attributes
Thu Aug 27 17:08:20 2015 : Debug: (7)             Performing unfiltered search in "cn=xxx12345,ou=myou,o=myo,c=de", scope "base"
Thu Aug 27 17:08:20 2015 : Debug: (7)             Waiting for search result...
Thu Aug 27 17:08:20 2015 : Debug: (7)           Processing groupMembership value "cn=mygroup1,ou=myou,o=myo,c=de" as a DN
Thu Aug 27 17:08:20 2015 : Debug: (7)           Processing groupMembership value "cn=mygroup2,ou=myou,o=myo,c=de" as a DN
...
about 50 Groups
....
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Released connection (0)
Thu Aug 27 17:08:20 2015 : Info: rlm_ldap (ldap): 0 of 1 connections in use.  Need more spares
Thu Aug 27 17:08:20 2015 : Info: rlm_ldap (ldap): Opening additional connection (1), 1 of 127 pending slots used
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Connecting to ldap://ldap.example.com:389
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): New libldap handle 0x7f0e35caa700
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Waiting for bind result...
Thu Aug 27 17:08:20 2015 : Debug: rlm_ldap (ldap): Bind successful
Thu Aug 27 17:08:20 2015 : Debug: (7)           User is not a member of "cn=radiusreject,ou=myou,o=myo,c=de"
Thu Aug 27 17:08:20 2015 : Debug: (7)           if (Ldap-Group == "cn=radiusreject,ou=myou,o=myo,c=de")  -> FALSE
Thu Aug 27 17:08:20 2015 : Debug: (7)         } # if (Stripped-User-Name  =~ /^[a-zA-Z]{3}[0-9]{5}$/ )  = updated
Thu Aug 27 17:08:20 2015 : Debug: (7)       } # policy rzur.radiusrejectcheckinner = updated

Thank you for your time,
Anja

More information about the Freeradius-Users mailing list