Re: ypldap 1024 character limit on groups?
Thanks. I'll see if I can find the time to fix this. It could be a fun project :-) In the meantime, however, I have determined that CentOS works properly in this regard, so sadly I'll have to switch, at least for now :-( Thanks for the feedback, and information as to exactly where the problem lies so I know where to start looking! --- Israel Brewster Computer Support Technician II Era Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7250 x7293 --- [demime 1.01d removed an attachment of type text/directory which had a name of Israel Brewster.vcf] On Mar 7, 2014, at 8:02 AM, Theo de Raadt wrote: >> I see. Wow, that is a HUGE bug. > > Such maximum line lengths have been commonplace in Unix forever. This > is not an OpenBSD-introduced problem; it is just something that has > not yet been improved. > > Improvements come when people try to push forward along the curve. > People like you...
Re: ypldap 1024 character limit on groups?
> I see. Wow, that is a HUGE bug. Such maximum line lengths have been commonplace in Unix forever. This is not an OpenBSD-introduced problem; it is just something that has not yet been improved. Improvements come when people try to push forward along the curve. People like you...
Re: ypldap 1024 character limit on groups?
On Mar 6, 2014, at 3:24 PM, Philip Guenther wrote: > On Mon, Mar 3, 2014 at 4:14 PM, Israel Brewster wrote: >> I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP >> server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed >> login_ldap from ports and configured ypldap and the login.conf file such that >> I can now authenticate as any of my ldap users. However, when ypldap pulls in >> the group membership information from my LDAP server, it appears to be cutting >> off the group membership listing at 1024 characters. The end result is that >> only about half of my users are actually showing up as members of the >> appropriate group(s). I have confirmed this not only by behavior (sftp is not >> chrooted for some users even though I have the proper entries to match the >> group in sshd_conf), but also by using the userinfo command: userinfo for a >> user that shows up in the first 1024 characters of the group membership >> listing properly shows the user as a member of the group. userinfo for a user >> that does not show up in the first 1024 characters show the user as only being >> part of the default group (staff in this case). How can I get ypldap to show >> the full member listing? > > The 1024 byte limit is hardcoded in libc's getgr* routines. > > /usr/src/lib/libc/gen/getgrent.c:#defineMAXLINELENGTH 1024 > /usr/src/lib/libc/gen/getgrouplist.c:#define MAXLINELENGTH 1024 > > Increasing those would also require an increase to grp.h's _GR_BUF_LEN > and possibly other places in the tree. Not tested: good luck! > > > Philip Guenther I see. Wow, that is a HUGE bug. Unless there is some workaround, that essentially means OpenBSD is not suitable for use in any sort of directory environment, unless it is very small. I mean, I only have about 300 users in my directory (about 1/3 of the total company), split between two groups, and ypldap only shows about 2/3 of each group, or about 100 people. You could MAYBE manage 200 if you used shorter usernames. But maybe we're just weird, and no normal company puts more than 100 people in a group :-) In any case, thanks for the information. I guess I'll start looking at other OS options. That stinks - I like OpenBSD. --- Israel Brewster Computer Support Technician II Era Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7250 x7293 --- [demime 1.01d removed an attachment of type text/directory which had a name of Israel Brewster.vcf]
Re: ypldap 1024 character limit on groups?
On Mon, Mar 3, 2014 at 4:14 PM, Israel Brewster wrote: > I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP > server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed > login_ldap from ports and configured ypldap and the login.conf file such that > I can now authenticate as any of my ldap users. However, when ypldap pulls in > the group membership information from my LDAP server, it appears to be cutting > off the group membership listing at 1024 characters. The end result is that > only about half of my users are actually showing up as members of the > appropriate group(s). I have confirmed this not only by behavior (sftp is not > chrooted for some users even though I have the proper entries to match the > group in sshd_conf), but also by using the userinfo command: userinfo for a > user that shows up in the first 1024 characters of the group membership > listing properly shows the user as a member of the group. userinfo for a user > that does not show up in the first 1024 characters show the user as only being > part of the default group (staff in this case). How can I get ypldap to show > the full member listing? The 1024 byte limit is hardcoded in libc's getgr* routines. /usr/src/lib/libc/gen/getgrent.c:#defineMAXLINELENGTH 1024 /usr/src/lib/libc/gen/getgrouplist.c:#define MAXLINELENGTH 1024 Increasing those would also require an increase to grp.h's _GR_BUF_LEN and possibly other places in the tree. Not tested: good luck! Philip Guenther
Re: ypldap 1024 character limit on groups?
On Mar 3, 2014, at 3:14 PM, Israel Brewster wrote: > I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP > server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed > login_ldap from ports and configured ypldap and the login.conf file such that > I can now authenticate as any of my ldap users. However, when ypldap pulls in > the group membership information from my LDAP server, it appears to be cutting > off the group membership listing at 1024 characters. The end result is that > only about half of my users are actually showing up as members of the > appropriate group(s). I have confirmed this not only by behavior (sftp is not > chrooted for some users even though I have the proper entries to match the > group in sshd_conf), but also by using the userinfo command: userinfo for a > user that shows up in the first 1024 characters of the group membership > listing properly shows the user as a member of the group. userinfo for a user > that does not show up in the first 1024 characters show the user as only being > part of the default group (staff in this case). How can I get ypldap to show > the full member listing? > --- > Israel Brewster > Computer Support Technician II > Era Alaska > 5245 Airport Industrial Rd > Fairbanks, AK 99709 > (907) 450-7250 x7293 > --- > I was thinking: is there any chance this is due to a problem with the Apple OpenDirectory LDAP, and not with ypldap? When I use a LDAB browser such as explorer, it shows all the groups, but perhaps it works differently. Any suggestions would be appreciated, as right now the LDAP binding is useless, and if I can't get this working I'll have to start over on a different OS where I can make this work - which will not be fun :-(. Thanks. --- Israel Brewster Computer Support Technician II Era Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7250 x7293 --- [demime 1.01d removed an attachment of type text/directory which had a name of Israel Brewster.vcf]
ypldap 1024 character limit on groups?
I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed login_ldap from ports and configured ypldap and the login.conf file such that I can now authenticate as any of my ldap users. However, when ypldap pulls in the group membership information from my LDAP server, it appears to be cutting off the group membership listing at 1024 characters. The end result is that only about half of my users are actually showing up as members of the appropriate group(s). I have confirmed this not only by behavior (sftp is not chrooted for some users even though I have the proper entries to match the group in sshd_conf), but also by using the userinfo command: userinfo for a user that shows up in the first 1024 characters of the group membership listing properly shows the user as a member of the group. userinfo for a user that does not show up in the first 1024 characters show the user as only being part of the default group (staff in this case). How can I get ypldap to show the full member listing? --- Israel Brewster Computer Support Technician II Era Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7250 x7293 ---