On Mon, Mar 3, 2014 at 4:14 PM, Israel Brewster <isr...@eraalaska.net> wrote: > I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP > server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed > login_ldap from ports and configured ypldap and the login.conf file such that > I can now authenticate as any of my ldap users. However, when ypldap pulls in > the group membership information from my LDAP server, it appears to be cutting > off the group membership listing at 1024 characters. The end result is that > only about half of my users are actually showing up as members of the > appropriate group(s). I have confirmed this not only by behavior (sftp is not > chrooted for some users even though I have the proper entries to match the > group in sshd_conf), but also by using the userinfo command: userinfo for a > user that shows up in the first 1024 characters of the group membership > listing properly shows the user as a member of the group. userinfo for a user > that does not show up in the first 1024 characters show the user as only being > part of the default group (staff in this case). How can I get ypldap to show > the full member listing?
The 1024 byte limit is hardcoded in libc's getgr* routines. /usr/src/lib/libc/gen/getgrent.c:#define MAXLINELENGTH 1024 /usr/src/lib/libc/gen/getgrouplist.c:#define MAXLINELENGTH 1024 Increasing those would also require an increase to grp.h's _GR_BUF_LEN and possibly other places in the tree. Not tested: good luck! Philip Guenther
