freeradius LDAP module issue with reading big cn
In process of authorization user when user has a list of group, and one of them too long as example: memberOf: cn=DMB - System Administration Department - System Administrator,cn= DMB - System Administration Department,cn=DMB - Internal IT Support Departmen t,cn=DMB - Infrastructure Department,cn=DMB - Global Finance Department,cn=DM B - Global Services,cn=DMB - Corporate,cn=Departments,cn=Example,cn=Tenants,cn =Access Control Root,ou=Keycloak,ou=Groups,dc=example,dc=com and target group for authorization located after that group, freeradius authorization process rejecting request with login incorrect: Auth: (0) Login incorrect (Group DN "cn=DMB - System Administration Department - System Administrator,cn=DMB - System Administration Department,cn=DMB - Internal IT Support Department,cn=DMB - Infrastructure Department,cn=DMB - Global Finance Department,cn=DMB - Global Services,cn=: [username] (from client Incubator_switch port 0)
On Dec 27, 2024, at 10:15 AM, Дмитрий <zasim87@gmail.com> wrote:
In process of authorization user when user has a list of group, and one of them too long as example:
The only answer here is to shorten the group name. The server doesn't support infinite-length group names. Alan DeKok.
Hello, I would like to know if it's possible to configure FreeRADIUS to ignore groups that exceed a certain length while still checking the compliance of the remaining groups. Currently, authorization fails as soon as FreeRADIUS encounters a long group, preventing further checks. Thank you for your assistance! пт, 27 дек. 2024 г. в 21:00, Alan DeKok <aland@deployingradius.com>:
On Dec 27, 2024, at 10:15 AM, Дмитрий <zasim87@gmail.com> wrote:
In process of authorization user when user has a list of group, and one
of
them too long as example:
The only answer here is to shorten the group name. The server doesn't support infinite-length group names.
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Jan 10, 2025, at 3:29 AM, Дмитрий <zasim87@gmail.com> wrote:
I would like to know if it's possible to configure FreeRADIUS to ignore groups that exceed a certain length while still checking the compliance of the remaining groups. Currently, authorization fails as soon as FreeRADIUS encounters a long group, preventing further checks.
You'll have to change the source code. See src/modules/rlm_ldap As always, patches are welcome. Alan DeKok.
participants (2)
-
Alan DeKok -
Дмитрий