Prevent unnecessary checks with Ldap-Group in FR3

Anja Ruckdaeschel Anja.Ruckdaeschel at rz.uni-regensburg.de
Fri Aug 28 10:44:16 CEST 2015


Commenting out the attribute did the trick.

Thank you very much. Have a nice day.

Ciao Anja






>>> Arran Cudbard-Bell <a.cudbardb at freeradius.org> 27.08.2015 17:56 >>>

> On Aug 27, 2015, at 11:29 AM, Anja Ruckdaeschel <Anja.Ruckdaeschel at rz.uni-regensburg.de> wrote:
> 
> Hi there,
> 
> we are doing an Ldap-Group-Check for every login. The Group contains people who are not allowed to use radius-services.
> So 98% of the Users are NOT in the Group.
> 
> FR3 first searches in the Group for the Login-User, if he finds nothing he then checks all the groups a user is member of in reverse,
> which can be a lot at our site.

If you gave the ldap module a value for group.membership_attribute, it's going to check all the values of that attribute found in the user object.  If you don't want it to check membership attributes comment out group.membership_attribute.

If the format of the group you're trying to find is the same as the membership_attribute value i.e. your group is a DN and the value is a DN, then rlm_ldap will not hit the LDAP directory for each of these checks, so it just ends up being a memcmp (very fast even for 50 groups).

The only time this is an issue is is one is a DN and the other is a name, then each group membership requires a search to get both operands in the same format.

-Arran




More information about the Freeradius-Users mailing list