Azure AD LDAP / memberOf / Not all groups being assigned to control:LDAP-Group
Nick Porter
nick at portercomputing.co.uk
Thu Mar 7 18:44:39 UTC 2024
On 07/03/2024 18:01, Mike Mercier wrote:
> Has anyone else experienced this? Is there a knob I have to tune somewhere
> that I am unaware of?
It partly depends on how you are resolving group membership.
Firstly, upgrade to version 3.2.3 (from https://packages.networkradius.com)
Prior to that version there was a hard coded limit on the number of
groups which would be cached.
In version 3.2.3, that limit only applies if the caching involves doing
a group name -> DN resolution (i.e. the LDAP server returns names and
you've asked for DNs to be cached).
For the most efficient group checks, it is worth verifying how the LDAP
server returns groups and use that form.
I.e. if the server returns names, then set cacheable_name = 'yes' and do
all your checks using group names. If the server returns DNs then set
cacheable_dn = 'yes' and do all your checks using DNs. This
significantly reduces the number of LDAP queries that are run.
Nick
--
Nick Porter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20240307/b03ea75d/attachment.sig>
More information about the Freeradius-Users
mailing list