On 31/07/12 13:47, David Aldwinckle wrote:
Hi Phil,
I tried a test where I commented out "ldap" from the inner tunnel and it
appears that you are correct.
I had thought that I would need to "load" the module for the LDAP-Group to be
populated.
It's a common misconception, and in some ways I wish it were more
obvious that this isn't the case. But as I say, the attribute is a
"virtual" one, and comparisons are executed by a handler that
dynamically does the query, as opposed to a list of groups.
Same thing for SQL-Group and (IIRC) the huntgroup attributes.
This can be relevant if you want to do a lot of group comparisons e.g.
if (Ldap-Group = abc123) {
..
}
elsif (Ldap-Group == def456) {
...
}
...involves two LDAP directory searches. This can get slow with a lot of
groups, for which there are various solutions.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
