LDAP group query optimisation

Arran Cudbard-Bell a.cudbardb at freeradius.org
Thu Oct 13 16:20:27 CEST 2016

> On Oct 13, 2016, at 9:42 AM, Alan DeKok <aland at deployingradius.com> wrote:
> On Oct 13, 2016, at 9:38 AM, Brian Candler <b.candler at pobox.com> wrote:
>> I am testing out freeradius with FreeIPA (= 389 directory server). This is freeradius-3.0.11 from Ubuntu 16.04, talking to FreeIPA under CentOS 7.
>> The 389 directory server in FreeIPA has a "memberOf" plugin installed (by default), which exposes all the groups as part of the user record. For example:
> ...
>> The problem is, whenever I touch the LDAP-Group attribute it triggers off a whole load of LDAP queries, one for each group, to translate the group DN to the cn.

Specify the group as a DN and it won't do the translation.

If you want to examine the DN values yourself using a foreach loop, toggle on cacheable_dn, all the membership DNs will then be available as LDAP-Group instances.

I can see some advantages do extracting groups from the RDN, so feel free to add an issue ticket.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161013/117d0c6c/attachment.sig>

More information about the Freeradius-Users mailing list