Limit on number of role entries?

Help
2006-07-05
2013-04-25
  • Nobody/Anonymous

    I'm using an LDAP query to add roles to a user while logging in:

    LDAP_ROLES_SELECTOR* '"${LDAP::attrname}" eq "isMemberOf" ? strtr("${LDAP::attrvalue}", " ", "_") : 0'

    There seems to be a limit (of 32 items) on the number of role attributes that DACS accepts. If there are more attributes, DACS says: "[dacs_authenticate:"dacs_auth"] invalid roles - ignoring"

     
    • Barry Brachman

      Barry Brachman - 2006-07-05

      There is no limit on the number of role attributes per se, but there is a limit on the maximum length of the role string (by default, 200 bytes).  The current limit is admittedly arbitrary - its purpose is to keep the maximum size of credentials and HTTP cookies to something "reasonable".

      You can change AUTH_MAX_ROLE_STR_LENGTH (defined in include/auth.) to something large enough for your needs, rebuild everything, and give it a try.

      We will look at making this easier to configure in a future release.

      But it's also possible that the problem is something entirely different.  The role string being returned by local_ldap_authenticate might be syntactically invalid. Review dacs(1) for a syntax spec. We will look at improving the logged error message to be more informative.

      Thanks for your inquiry.  Feel free to follow up if you still cannot resolve the problem (you may need to include the role string that is being produced).

      Barry

       
    • Klaus Steinberger

      I fight with the same problem. The new dacs version 1.4.14 helps, as now could bump up now ROLE_STRING_MAX_LENGTH.

      But the problem arises from a bunch of "0" written into the role strings:

      You are authenticated within federation PHYSIK as:

         1. EDIR:Klaus.Steinberger with roles 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,mitarbeiter,CIPPHYSIK,email,MLL-LDAP,VERWALTUNG,msdnaa-admin,BL-GROUP,pr-adm-verw,rechner,etpgrid,otrs,cipwheel,0,0,0,0,0,0,0,0

      A ldapsearch gives correct memberships:

      groupMembership: cn=mitarbeiter,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=CIPPHYSIK,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=email,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=MLL-LDAP,ou=Exportgruppen,o=physik
      groupMembership: cn=VERWALTUNG,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=msdnaa-admin,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=BL-GROUP,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=pr-adm-verw,ou=Gruppen,o=physik
      groupMembership: cn=rechner,ou=Gruppen,o=physik
      groupMembership: cn=etpgrid,ou=Gruppen,o=physik
      groupMembership: cn=otrs,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=cipwheel,ou=Berechtigungsgruppen,o=physik

      My LDAP_RULES_SELECTOR Statement is lik in the example:

      LDAP_ROLES_SELECTOR* '"${LDAP::attrname}" eq "groupMembership" \     ? strtr(ldap(rdn_attrvalue, \         ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") \     : 0'

      So it looks like the example isn't correct. The statement should be:

      ROLE_STRING_MAX_LENGTH.

      But the problem arises from a bunch of "0" written into the role strings:

      You are authenticated within federation PHYSIK as:

         1. EDIR:Klaus.Steinberger with roles 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,mitarbeiter,CIPPHYSIK,email,MLL-LDAP,VERWALTUNG,msdnaa-admin,BL-GROUP,pr-adm-verw,rechner,etpgrid,otrs,cipwheel,0,0,0,0,0,0,0,0

      A ldapsearch gives correct memberships:

      groupMembership: cn=mitarbeiter,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=CIPPHYSIK,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=email,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=MLL-LDAP,ou=Exportgruppen,o=physik
      groupMembership: cn=VERWALTUNG,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=msdnaa-admin,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=BL-GROUP,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=pr-adm-verw,ou=Gruppen,o=physik
      groupMembership: cn=rechner,ou=Gruppen,o=physik
      groupMembership: cn=etpgrid,ou=Gruppen,o=physik
      groupMembership: cn=otrs,ou=Berechtigungsgruppen,o=physik
      groupMembership: cn=cipwheel,ou=Berechtigungsgruppen,o=physik

      My LDAP_RULES_SELECTOR Statement is lik in the example:

      LDAP_ROLES_SELECTOR* '"${LDAP::attrname}" eq "groupMembership" \     ? strtr(ldap(rdn_attrvalue, \         ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") \     : ""'

      This gives the correct Roles:
      You are authenticated within federation PHYSIK as:

         1. EDIR:Klaus.Steinberger with roles mitarbeiter,CIPPHYSIK,email,MLL-LDAP,VERWALTUNG,msdnaa-admin,BL-GROUP,pr-adm-verw,rechner,etpgrid,otrs,cipwheel

      Sincerly,
      Klaus

       
    • Barry Brachman

      Barry Brachman - 2006-09-06

      Thanks very much, Klaus.  You are correct - the
      example in dacs_authenticate(1) has an error.  A recent change to expression evaluation is to blame.

      The section of the manual page should read:

      LDAP_ROLES_SELECTOR* (Optional)

          Since LDAP directory operations are usually relatively expensive, this module can return role information for the authenticated user, avoiding a second LDAP operation during Roles clause processing. Roles are typically extracted from information in the user's directory entry. Each occurrence of this directive specifies an expression that is evaluated by iterating through each attribute of the entry and making the attribute name (${LDAP::attrname}) and its value (${LDAP::attrvalue}) available. All of the entry's attribute names and values are made available within the LDAP namespace. If the result of the expression is a valid role string (which excludes the empty string, ""), it is added to the list of roles.

      An example:

      LDAP_ROLES_SELECTOR* '"${LDAP::attrname}" eq "memberOf" \     ? strtr(ldap(rdn_attrvalue, \         ldap(dn_index, "${LDAP::attrvalue}", 1)), " ", "_") \     : ""'

      The next release will include this change.

      Thanks,
      Barry

       

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks