Efficient AD group matching via the new wbclient interface

Matthew Newton mcn at freeradius.org
Tue Feb 13 17:13:57 CET 2018


On Tue, 2018-02-13 at 18:05 +0200, Isaac Boukris wrote:
> On Tue, Feb 13, 2018 at 4:07 PM, Alan DeKok <aland at deployingradius.co
> m> wrote:
> > > I'm now thinking on how to implement the caching of group-name to
> > > SID
> > > mapping with configurable timeout, ideally using existing
> > > interface -
> > > ideas welcome.
> > 
> > The "cache" module should be able to do that.  My $0.02 is to just
> > create the mappings, and let the rest of the policies decide what
> > to cache (or not).
> 
> The mapping I am interested at is of group-name to SID, which is
> relevant to *any* user and not related to what the AD-Group compare
> function actually does.
> I didn't figure yet how to use the cache module for that.

I think winbindd already caches those mappings? Is so
wbcCtxLookupSid / wbcCtxLookupSids and friends should be relatively
fast (i.e. no network traffic unless needed). Though it does mean
another call to winbindd, which needs the connection pool.

Question is whether the added complexity of managing a cache in
FreeRADIUS is worth it if there's already another cache on the same box
anyway.

-- 
Matthew



More information about the Freeradius-Users mailing list