[RADIATOR] AuthBy LSA - Maximum AD group member? / Failure if too many users in AD group
Heikki Vatiainen
hvn at open.com.au
Tue Jun 11 15:10:29 UTC 2019
On 08/06/2019 0.22, Schwarz, S. (ICT) wrote:
> The “wireless-lumc” AD group, in this example, contains all users
> accounts that are able to authenticate (about 14500 accounts)
>
> I wanted to phase out some AD groups in favor of a single AD group, but
> at this time that’s not an option due to the large business impact if
> our entire wireless goes down at random.
>
> Is there a known limit of members that an AD group may have (from a
> Radiator perspective)?
This should not be a limit for Radiator. The Win32::NetAdmin functions
Radiator calls get the list of groups for a user. Because it does not
query list of users by a group, I think the size of group should not matter.
If you can do some debugging, see the end of Radius/AuthLSA.pm where the
group check is done.
If you could add a call to Win32::NetAdmin::GetError() and print error,
possibly using Win32::FormatMessage($error), when the calls do not
return TRUE, then you might get be able to get more information why it
failed.
In other words, when it looks like the user is not in group, print the
possible error before returning false.
See here for more information:
https://metacpan.org/pod/Win32::NetAdmin
Thanks,
Heikki
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
More information about the radiator
mailing list