Efficient AD group matching via the new wbclient interface

Isaac Boukris iboukris at gmail.com
Thu Apr 12 14:19:05 CEST 2018


Hi,

On Tue, Feb 20, 2018 at 3:06 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Tue, Feb 13, 2018 at 6:29 PM, Isaac Boukris <iboukris at gmail.com> wrote:
>> On Tue, Feb 13, 2018 at 6:13 PM, Matthew Newton <mcn at freeradius.org> wrote:
>>> On Tue, 2018-02-13 at 18:05 +0200, Isaac Boukris wrote:
>>>> On Tue, Feb 13, 2018 at 4:07 PM, Alan DeKok <aland at deployingradius.co
>>>> m> wrote:
>>>> > > I'm now thinking on how to implement the caching of group-name to
>>>> > > SID
>>>> > > mapping with configurable timeout, ideally using existing
>>>> > > interface -
>>>> > > ideas welcome.
>>>> >
>>>> > The "cache" module should be able to do that.  My $0.02 is to just
>>>> > create the mappings, and let the rest of the policies decide what
>>>> > to cache (or not).
>>>>
>>>> The mapping I am interested at is of group-name to SID, which is
>>>> relevant to *any* user and not related to what the AD-Group compare
>>>> function actually does.
>>>> I didn't figure yet how to use the cache module for that.
>>>
>>> I think winbindd already caches those mappings? Is so
>>> wbcCtxLookupSid / wbcCtxLookupSids and friends should be relatively
>>> fast (i.e. no network traffic unless needed). Though it does mean
>>> another call to winbindd, which needs the connection pool.
>>>
>>> Question is whether the added complexity of managing a cache in
>>> FreeRADIUS is worth it if there's already another cache on the same box
>>> anyway.
>>
>>
>> Good point, I'll look into it and run some tests.
>
>
> Actually, I am not so sure we want to rely on winbind's cache as there
> seem to be no easy way to configure it (seems indefinite).
> Also, I've ran some tests and had a look at the code, there seem to be
> no caching of name->sid in winbind (that is the result of
> wbcCtxLookupName), so we'll need a local cache.
>
> For other auth methods I suggest we call wbcCtxLookupUserSids(), add
> those to the request and continue processing normally.
> I'll update the code according and open a pull request.


Just a quick update on this.
The function wbcCtxLookupUserSids() doesn't really work as I thought,
but I am still trying to figure out a proper solution for eap-tls use
case (and the caching issue).
I'll update asap (though it may take a while).


More information about the Freeradius-Users mailing list