Efficient AD group matching via the new wbclient interface
Isaac Boukris
iboukris at gmail.com
Tue Feb 13 17:29:09 CET 2018
On Tue, Feb 13, 2018 at 6:13 PM, Matthew Newton <mcn at freeradius.org> wrote:
> On Tue, 2018-02-13 at 18:05 +0200, Isaac Boukris wrote:
>> On Tue, Feb 13, 2018 at 4:07 PM, Alan DeKok <aland at deployingradius.co
>> m> wrote:
>> > > I'm now thinking on how to implement the caching of group-name to
>> > > SID
>> > > mapping with configurable timeout, ideally using existing
>> > > interface -
>> > > ideas welcome.
>> >
>> > The "cache" module should be able to do that. My $0.02 is to just
>> > create the mappings, and let the rest of the policies decide what
>> > to cache (or not).
>>
>> The mapping I am interested at is of group-name to SID, which is
>> relevant to *any* user and not related to what the AD-Group compare
>> function actually does.
>> I didn't figure yet how to use the cache module for that.
>
> I think winbindd already caches those mappings? Is so
> wbcCtxLookupSid / wbcCtxLookupSids and friends should be relatively
> fast (i.e. no network traffic unless needed). Though it does mean
> another call to winbindd, which needs the connection pool.
>
> Question is whether the added complexity of managing a cache in
> FreeRADIUS is worth it if there's already another cache on the same box
> anyway.
Good point, I'll look into it and run some tests.
Thanks!
More information about the Freeradius-Users
mailing list