substring matching problem : is there a length limit?

$witch a.spinella at fidus.it
Wed Sep 6 14:48:53 CEST 2017


hello everyone,

have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.

shortly, having proof that it is working for many but not all workers have observed that in working case

...........
(2)   } # Auth-Type ntlm_auth = ok
(2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(2)   post-auth {
(2)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(2)     Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(2)     EXPAND %{User-Name}
(2)        --> USER1.admin
(2)     Program returned code (0) and output '.....list of 38 groups for 850 chars....... MYDOMAYN\UNIX Admins .......... and 11 more groups for 279 chars'
(2)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2")  -> TRUE
(2)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2")  {
(2)       update reply {
(2)         Service-Type = Administrative-User
(2)         Cisco-AVpair = "shell:priv-lvl=15"
(2)       }
...........

while in non-working case we have

...............
(1)   } # Auth-Type ntlm_auth = ok
(1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
(1)   post-auth {
(1)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") {
(1)     Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}:
(1)     EXPAND %{User-Name}
(1)        --> USER2.admin
(1)     Program returned code (0) and output '........list of 81 groups for 1115 chars...... MYDOMAIN\UNIX Admins ....... and 16 more groups for 402 chars......'
(1)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2")  -> FALSE
............

so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.

as far as I can see (using grep -Ri 1024 *) no textfile in /usr/local/etc/raddb includes a 1024 meaningful for the case (well, src files have some more of them....); so please :


a) confirm if there is a string-length-limit in substring matching

b) if yes suggest where to interact with the system to increase it (at least twice, better 4 times the original value)


regards


Alessandro
 


More information about the Freeradius-Users mailing list