Gotchas of LDAP Server Side Sort controls

Michael Ströder michael at
Wed Mar 15 23:08:19 CET 2017

Arran Cudbard-Bell wrote:
> Ambiguous results result in the user being rejected unless you specify a SSS to make
> the result deterministically ambiguous :)

There's one use-case where you can turn ambiguous search results into a single result:
Use SSS toegether with sizelimit=1 for searching the highest or lowest ordered ID. ;-P

> It's useful for pulling back multiple policy objects in a hierarchy. For example you
> can represent port strings with LDAP objects, and hang policy off different levels
> (line cards, ports etc...).

Hmm, but why can't you just do this by comparing the attribute values in FreeRADIUS?

> For that you need the entries to be sorted by DN.

You can only use SSS on attributes with LDAP syntax for which an ORDERING matching rule
is defined (see RFC 2891). There is no ORDERING matching rule defined for DN syntax (see
RFC 4517).

> It can also be useful for doing the same thing with nested groups.

Hmm, frankly I don't get it.

> I guess I'll just add a note about resource exhaustion... But honestly, allocating
> memory for one SSS per connection shouldn't cause any issues on modern systems?

Well, this depends very much on how many entries are returned.

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Freeradius-Users mailing list