Efficient AD group matching via the new wbclient interface
Alan DeKok
aland at deployingradius.com
Tue Feb 13 15:07:12 CET 2018
On Feb 10, 2018, at 10:22 AM, Isaac Boukris <iboukris at gmail.com> wrote:
> I am working on improving AD group matching for mschap authentication,
> taking advantage of the new wbclient direct interface which returns
> the user's token (including group membership SIDs) as part of NTLM
> authentication.
>
> Work in progress:
> https://github.com/frenche/freeradius-server/commit/9af7dfd634a251f68b07064603ccbbca308492bf
It looks good.
> I'm now thinking on how to implement the caching of group-name to SID
> mapping with configurable timeout, ideally using existing interface -
> ideas welcome.
The "cache" module should be able to do that. My $0.02 is to just create the mappings, and let the rest of the policies decide what to cache (or not).
> @mcnewton, I noticed at last there is a similar group-compare function
> in v4 branch, though I think the two actually can complete each other.
I'd like Matthew's comments, too.
Alan DeKok.
More information about the Freeradius-Users
mailing list