LDAP group query optimisation

Brian Candler b.candler at pobox.com
Thu Oct 13 15:38:04 CEST 2016


I am testing out freeradius with FreeIPA (= 389 directory server). This 
is freeradius-3.0.11 from Ubuntu 16.04, talking to FreeIPA under CentOS 7.

The 389 directory server in FreeIPA has a "memberOf" plugin installed 
(by default), which exposes all the groups as part of the user record. 
For example:

# bcandler, users, accounts, ipa.example.com
dn: uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
objectclass: ipaobject
objectclass: person
objectclass: top
objectclass: ipasshuser
objectclass: inetorgperson
objectclass: organizationalperson
objectclass: krbticketpolicyaux
objectclass: krbprincipalaux
objectclass: inetuser
objectclass: posixaccount
objectclass: ipaSshGroupOfPubKeys
objectclass: mepOriginEntry
objectclass: ipantuserattrs
cn: Brian Candler
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com
memberOf: cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com

And I have freeradius's ldap module configured for group membership like 
this:

         group {
                 membership_attribute = 'memberOf'
                 name_attributes = 'cn'
         }


The problem is, whenever I touch the LDAP-Group attribute it triggers 
off a whole load of LDAP queries, one for each group, to translate the 
group DN to the cn.

However, since all I'm asking for the cn, and the cn is the RDN of the 
group, the cn could be extracted directly from the DN.

Here's an example of what I see:


(1)         if (&Called-Station-Id =~ /:Staff$/ && &LDAP-Group[*] == 
"staff") {
(1)         Searching for user in group "staff"
rlm_ldap (ldap): Reserved connection (3)
(1)         Using user DN from request 
"uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com"
(1)         Checking user object's memberOf attributes
(1)           Performing unfiltered search in 
"uid=bcandler,cn=users,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1)           Waiting for search result...
(1)         Processing memberOf value 
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1)           Resolving group DN 
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1)           Performing unfiltered search in 
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1)           Waiting for search result...
(1)           Group DN 
"cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to 
name "ipausers"
(1)         Processing memberOf value 
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1)           Resolving group DN 
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group 
name
(1)           Performing unfiltered search in 
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope 
"base"
(1)           Waiting for search result...
(1)           Group DN 
"cn=server_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves 
to name "server_guru"
(1)         Processing memberOf value 
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1)           Resolving group DN 
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to 
group name
(1)           Performing unfiltered search in 
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope 
"base"
(1)           Waiting for search result...
(1)           Group DN 
"cn=network_guru,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" 
resolves to name "network_guru"
(1)         Processing memberOf value 
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1)           Resolving group DN 
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1)           Performing unfiltered search in 
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1)           Waiting for search result...
(1)           Group DN 
"cn=vpn,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to name 
"vpn"
(1)         Processing memberOf value 
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" as a DN
(1)           Resolving group DN 
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" to group name
(1)           Performing unfiltered search in 
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com", scope "base"
(1)           Waiting for search result...
(1)           Group DN 
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com" resolves to 
name "staff"
(1)         User found in group "staff". Comparison between membership: 
name (resolved from DN 
"cn=staff,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com"), check: name


I guess this is intentional: one group object *could* have multiple cn 
attributes, so maybe it's querying the group to be sure. That is,

memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=example,dc=com

in theory could translate to

LDAP-Group += ipausers
LDAP-Group += another name for ipausers


However in my case I don't need this.  Is there a way I can configure 
the LDAP module not to do this?

Alternatively I could make an explicit group membership query (i.e. 
return all group entries that this user is a member of); but that still 
involves two queries, and I would then not be making use of the memberOf 
feature.

Thanks,

Brian.



More information about the Freeradius-Users mailing list