substring matching problem : is there a length limit?
hello everyone, have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS. shortly, having proof that it is working for many but not all workers have observed that in working case ........... (2) } # Auth-Type ntlm_auth = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (2) post-auth { (2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") { (2) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}: (2) EXPAND %{User-Name} (2) --> USER1.admin (2) Program returned code (0) and output '.....list of 38 groups for 850 chars....... MYDOMAYN\UNIX Admins .......... and 11 more groups for 279 chars' (2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> TRUE (2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") { (2) update reply { (2) Service-Type = Administrative-User (2) Cisco-AVpair = "shell:priv-lvl=15" (2) } ........... while in non-working case we have ............... (1) } # Auth-Type ntlm_auth = ok (1) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (1) post-auth { (1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") { (1) Executing: /bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}: (1) EXPAND %{User-Name} (1) --> USER2.admin (1) Program returned code (0) and output '........list of 81 groups for 1115 chars...... MYDOMAIN\UNIX Admins ....... and 16 more groups for 402 chars......' (1) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh %{User-Name}` =~ /UNIX Admins/ && NAS-IP-Address == "10.20.68.2") -> FALSE ............ so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it. as far as I can see (using grep -Ri 1024 *) no textfile in /usr/local/etc/raddb includes a 1024 meaningful for the case (well, src files have some more of them....); so please : a) confirm if there is a string-length-limit in substring matching b) if yes suggest where to interact with the system to increase it (at least twice, better 4 times the original value) regards Alessandro
On Sep 6, 2017, at 8:48 AM, $witch <a.spinella@fidus.it> wrote:
have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.
That's good...
shortly, having proof that it is working for many but not all workers have observed that in working case
........... (2) } # Auth-Type ntlm_auth = ok (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default (2) post-auth { (2) if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh
Why not just use the features that come with the server? It supports querying AD for group membership via LDAP-Group: if (LDAP-Group == "admin") { ... do stuff ... } The LDAP group checks are even cached, so it doesn't hit AD every time you do the group comparison.
so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.
I wouldn't recommend that. Instead, please explain what that script does, and why you need it to return almost 100 group. I'm willing to bet that you can re-implement that functionality in FreeRADIUS. Alan DeKok.
hi Alan and everybody,
Why not just use the features that come with the server?
it sound a better way than the actual, will test it before to implement actual solution as production one.
I wouldn't recommend that.
surely have more details than me, will leave that untouched
Instead, please explain what that script does,
really simple group-list query (based on http://www.soluzionilinux.com/freeradius-ad-domain-users-authentication-and-...) #!/bin/sh for T in $(/usr/local/bin/wbinfo --user-domgroups `/usr/local/bin/wbinfo -n $1`) ; do /usr/local/bin/wbinfo -s $T | /usr/local/bin/perl -ne 'chomp and print'; done
and why you need it to return, almost 100 group.
have no control over it, the policies that allow an user to belong to a so wide pool of groups are outside my knowledge except for the fact that I can't change them.
I'm willing to bet that you can re-implement that functionality in FreeRADIUS.
ok, will try from now, thank you. Alessandro Spinella
On Sep 6, 2017, at 10:41 AM, $witch <a.spinella@fidus.it> wrote:
it sound a better way than the actual, will test it before to implement actual solution as production one.
That's a good idea.
I wouldn't recommend that.
surely have more details than me, will leave that untouched
Instead, please explain what that script does,
really simple group-list query (based on http://www.soluzionilinux.com/freeradius-ad-domain-users-authentication-and-...)
#!/bin/sh for T in $(/usr/local/bin/wbinfo --user-domgroups `/usr/local/bin/wbinfo -n $1`) ; do /usr/local/bin/wbinfo -s $T | /usr/local/bin/perl -ne 'chomp and print'; done
Wow... that is *slow*. Checking LDAP-Group will be much, much, faster.
I'm willing to bet that you can re-implement that functionality in FreeRADIUS.
ok, will try from now, thank you.
Ask if you have any questions... Alan DeKok.
participants (2)
-
$witch -
Alan DeKok