Efficient AD group matching via the new wbclient interface

[Isaac Boukris]

On Tue, Feb 13, 2018 at 6:29 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> On Tue, Feb 13, 2018 at 6:13 PM, Matthew Newton <mcn at freeradius.org> wrote:
>> On Tue, 2018-02-13 at 18:05 +0200, Isaac Boukris wrote:
>>> On Tue, Feb 13, 2018 at 4:07 PM, Alan DeKok <aland at deployingradius.co
>>> m> wrote:
>>> > > I'm now thinking on how to implement the caching of group-name to
>>> > > SID
>>> > > mapping with configurable timeout, ideally using existing
>>> > > interface -
>>> > > ideas welcome.
>>> >
>>> > The "cache" module should be able to do that.  My $0.02 is to just
>>> > create the mappings, and let the rest of the policies decide what
>>> > to cache (or not).
>>>
>>> The mapping I am interested at is of group-name to SID, which is
>>> relevant to *any* user and not related to what the AD-Group compare
>>> function actually does.
>>> I didn't figure yet how to use the cache module for that.
>>
>> I think winbindd already caches those mappings? Is so
>> wbcCtxLookupSid / wbcCtxLookupSids and friends should be relatively
>> fast (i.e. no network traffic unless needed). Though it does mean
>> another call to winbindd, which needs the connection pool.
>>
>> Question is whether the added complexity of managing a cache in
>> FreeRADIUS is worth it if there's already another cache on the same box
>> anyway.
>
>
> Good point, I'll look into it and run some tests.


Actually, I am not so sure we want to rely on winbind's cache as there
seem to be no easy way to configure it (seems indefinite).
Also, I've ran some tests and had a look at the code, there seem to be
no caching of name->sid in winbind (that is the result of
wbcCtxLookupName), so we'll need a local cache.

For other auth methods I suggest we call wbcCtxLookupUserSids(), add
those to the request and continue processing normally.
I'll update the code according and open a pull request.