freeradius-server icon indicating copy to clipboard operation
freeradius-server copied to clipboard

Published 20 hours ago verified publisher icon FreeRADIUS

rlm_ldap: extract group name from group RDN

Open candlerb opened this issue 9 years ago • 1 comments

Issue type

  • [X] Feature request.

Defect/Feature description

If you configure a group membership query like this:

                membership_attribute = 'memberOf'
                name_attributes = 'cn'

and of course the memberOf attribute contains a DN, but the group RDN is cn=...., then we could avoid doing an LDAP query to map the DN to group name, and just extract it straight out of the DN. This would reduce the number of queries required (substantially, if the user is a member of many groups).

There is an edge case to consider: what if the group entry has multiple values for the cn attribute? Arguably, you might want to map the group to multiple names.

Personally I'd just want the primary cn (i.e. the one in the RDN). Having additional cn's would raise the risk that one group could masquerade as another. If there really are people who want this, the extraction of name_attributes from DN could be optional.

Example on the list

candlerb avatar Oct 13 '16 14:10 candlerb

Unless the patch is small, we'll have to wait for v4 to get this fixed.

alandekok avatar Feb 27 '17 18:02 alandekok