LDAP group query optimisation
Brian Candler
b.candler at pobox.com
Thu Oct 13 16:48:48 CEST 2016
> Specify the group as a DN and it won't do the translation.
Thanks, that works.
I guess there is some implicit logic which checks to see if the string
tastes like a DN or not. Ah yes: rlm_ldap_is_dn().
> If you want to examine the DN values yourself using a foreach loop,
toggle on cacheable_dn, all the membership DNs will then be available as
LDAP-Group instances.
OK, that works too. It materializes LDAP-Group and LDAP-Group[*], which
can then also be used in string expansions.
I didn't investigate this flag before, because it said it was for use
with rlm_cache, which I'm not using.
Some documentation on the magical behaviour of the LDAP-Group attribute
would be nice to have :-)
> I can see some advantages do extracting groups from the RDN, so feel
free to add an issue ticket.
Done: https://github.com/FreeRADIUS/freeradius-server/issues/1788
Cheers,
Brian.
More information about the Freeradius-Users
mailing list