

I’m trying to minimize ldap queries to Active directory do to heavy load on



1º - Change query on LDAP module to not search group of group


Accomplish using on ldap:

                filter = "(samaccountname=%{Stripped-User-Name})"

                dictionary_mapping = ${raddbdir}/ldap.attrmap

                groupname_attribute = cn

                groupmembership_filter =



2º - Do only one LDAP query for every type

I have several campus and several vlan assignment on each campus.


So I have for example this check items on users file:


DEFAULT Huntgroup-Name == "gambelas",ldapnaodocentes-Ldap-Group =="Nao

                Tunnel-Private-Group-ID := 302,



DEFAULT Huntgroup-Name == "gambelas",ldapnaodocentes-Ldap-Group ==

                Tunnel-Private-Group-ID := 304,



DEFAULT Huntgroup-Name == "Penha",ldapnaodocentes-Ldap-Group =="Nao

                Tunnel-Private-Group-ID := 602,


And so on….

If the user is on last campus, it will query the AD several times for the
same group query because even if Huntgroup-Name don’t match, it will run the
ldap query of the same check line.


So I tried this with no success:


DEFAULT ldapnaodocentes-Ldap-Group =="Nao Docentes"

                Tunnel-Type := "VLAN", Tunnel-Medium-Type := "IEEE-802",


                Fall-Through = Yes


DEFAULT Huntgroup-Name == "gambelas", My-Group==2

                Tunnel-Private-Group-ID := 302,

                Reply-Message = " eduroam Gambelas Nao Docente Vlan 302!",


DEFAULT Huntgroup-Name == "penha", My-Group==2

                Tunnel-Private-Group-ID := 602,

                Reply-Message = " eduroam Penha Nao Docente Vlan 602!",


But the My-Group==2 is not evaluated.


It is not possible to assign a value to an item and use it later on the
users file?



3º - Several group have the same vlan so i can create a group of groups on
AD and do the search by that group.

The problem is that it search if every group the user belong. If the user
have 20 group on AD and have to check for 10 group is users file, it will do
200 search.

The field tokenGroups on user AD have all the group and group of group for
the user, but have a list of SID and not the DN of the group.


It is possible get the SID of the group instead of the DN to use to search
on tokenGroups field of the user AD?






List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to