[RADIATOR] AuthBy LSA - Maximum AD group member? / Failure if too many users in AD group

[Heikki Vatiainen]

On 08/06/2019 0.22, Schwarz, S. (ICT) wrote:

> The “wireless-lumc” AD group, in this example, contains all users 
> accounts that are able to authenticate (about 14500 accounts)
> 
> I wanted to phase out some AD groups in favor of a single AD group, but 
> at this time that’s not an option due to the large business impact if 
> our entire wireless goes down at random.
> 
> Is there a known limit of members that an AD group may have (from a 
> Radiator perspective)?

This should not be a limit for Radiator. The Win32::NetAdmin functions 
Radiator calls get the list of groups for a user. Because it does not 
query list of users by a group, I think the size of group should not matter.

If you can do some debugging, see the end of Radius/AuthLSA.pm where the 
group check is done.

If you could add a call to Win32::NetAdmin::GetError() and print error, 
possibly using Win32::FormatMessage($error), when the calls do not 
return TRUE, then you might get be able to get more information why it 
failed.

In other words, when it looks like the user is not in group, print the 
possible error before returning false.

See here for more information:
https://metacpan.org/pod/Win32::NetAdmin

Thanks,
Heikki

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.