cacheable groups for ldap
Nick Porter
nick at portercomputing.co.uk
Mon May 22 16:42:03 UTC 2023
On 22/05/2023 17:12, dextá wrote:
> Is there any limit on how many groups can be cached via ldap module?
There is no specific limit within FreeRADIUS. You are best running
FreeRADIUS in debug mode to see what is happening (or using radmin to
capture debug output for that specific user).
> I ask because I have some users who have 80 groups in their profile. This
> is because we use AD + Moodle to manage the courses.
That is a lot - but should just result in 80 instances of the cached
group attribute being created
> This particular user is unable to connect to the Wi-Fi. I suspect that the
> reason might be having too many groups in their profile.
Debug output is the way to confirm or deny suspicions.
> membership_filter =
> "(|(member=%{control:Ldap-UserDn})(memberUid=%{%{Stripped-User-Name}:-%{User-Name}}))"
> membership_attribute = 'memberOf'
Having both membership_filter and membership_attribute will be
increasing the load on your directory and the number of queries being sent.
If a user's group membership can be entirely defined using the memberOf
attribute in their object, then just set that and comment out
membership_filter.
The group membership determined by membership_attribute is fetched at
the same time as the user's DN is found.
Membership found using membership_filter is a separate query once the
user has been found - and should only be used if group membership can't
be determined using membership_attribute.
Nick
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20230522/96eca982/attachment.sig>
More information about the Freeradius-Users
mailing list