substring matching problem : is there a length limit?

Alan DeKok aland at deployingradius.com
Wed Sep 6 15:29:30 CEST 2017


On Sep 6, 2017, at 8:48 AM, $witch <a.spinella at fidus.it> wrote:
> have a working installation of FreeRADIUS Version 3.0.15 that "look for AD group matching" to distinguish allowed users per NAS.

  That's good...

> shortly, having proof that it is working for many but not all workers have observed that in working case
> 
> ...........
> (2)   } # Auth-Type ntlm_auth = ok
> (2) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default
> (2)   post-auth {
> (2)     if (`/bin/sh /usr/local/etc/raddb/getwingrp.sh

  Why not just use the features that come with the server?  It supports querying AD for group membership via LDAP-Group:

	if (LDAP-Group == "admin") {
		... do stuff ...
	}

  The LDAP group checks are even cached, so it doesn't hit AD every time you do the group comparison.

> so, it seem that 1115 is outside some limit (I guess 1024) but am not aware IF and WHERE can I expand it.

  I wouldn't recommend that.

  Instead, please explain what that script does, and why you need it to return almost 100 group.  I'm willing to bet that you can re-implement that functionality in FreeRADIUS.

  Alan DeKok.




More information about the Freeradius-Users mailing list