LDAP group query optimisation
Arran Cudbard-Bell
a.cudbardb at freeradius.org
Thu Oct 13 17:07:23 CEST 2016
> On Oct 13, 2016, at 10:48 AM, Brian Candler <b.candler at pobox.com> wrote:
>
>> Specify the group as a DN and it won't do the translation.
>
> Thanks, that works.
>
> I guess there is some implicit logic which checks to see if the string tastes like a DN or not. Ah yes: rlm_ldap_is_dn().
:)
> > If you want to examine the DN values yourself using a foreach loop, toggle on cacheable_dn, all the membership DNs will then be available as LDAP-Group instances.
>
> OK, that works too. It materializes LDAP-Group and LDAP-Group[*], which can then also be used in string expansions.
Well it converts the groups to VP instances, LDAP-Group[*] is just the all instance selector.
>
> I didn't investigate this flag before, because it said it was for use with rlm_cache, which I'm not using.
>
> Some documentation on the magical behaviour of the LDAP-Group attribute would be nice to have :-)
RTFC :p
Actually RTFMing reveals:
# If cacheable_name or cacheable_dn are enabled,
# all group information for the user will be
# retrieved from the directory and written to LDAP-Group
# attributes appropriate for the instance of rlm_ldap.
I added a note about it not just being for rlm_cache.
> > I can see some advantages do extracting groups from the RDN, so feel free to add an issue ticket.
>
> Done: https://github.com/FreeRADIUS/freeradius-server/issues/1788
Thanks.
-Arran
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20161013/3c57abfe/attachment-0001.sig>
More information about the Freeradius-Users
mailing list