On Mar 6, 2014, at 3:24 PM, Philip Guenther <guent...@gmail.com> wrote:
> On Mon, Mar 3, 2014 at 4:14 PM, Israel Brewster <isr...@eraalaska.net> wrote: >> I am working on setting up my OpenBSD 5.2 box to connect to my company LDAP >> server (Mac OS X 10.8.5 OpenDirectory). I have successfully installed >> login_ldap from ports and configured ypldap and the login.conf file such that >> I can now authenticate as any of my ldap users. However, when ypldap pulls in >> the group membership information from my LDAP server, it appears to be cutting >> off the group membership listing at 1024 characters. The end result is that >> only about half of my users are actually showing up as members of the >> appropriate group(s). I have confirmed this not only by behavior (sftp is not >> chrooted for some users even though I have the proper entries to match the >> group in sshd_conf), but also by using the userinfo command: userinfo for a >> user that shows up in the first 1024 characters of the group membership >> listing properly shows the user as a member of the group. userinfo for a user >> that does not show up in the first 1024 characters show the user as only being >> part of the default group (staff in this case). How can I get ypldap to show >> the full member listing? > > The 1024 byte limit is hardcoded in libc's getgr* routines. > > /usr/src/lib/libc/gen/getgrent.c:#define MAXLINELENGTH 1024 > /usr/src/lib/libc/gen/getgrouplist.c:#define MAXLINELENGTH 1024 > > Increasing those would also require an increase to grp.h's _GR_BUF_LEN > and possibly other places in the tree. Not tested: good luck! > > > Philip Guenther I see. Wow, that is a HUGE bug. Unless there is some workaround, that essentially means OpenBSD is not suitable for use in any sort of directory environment, unless it is very small. I mean, I only have about 300 users in my directory (about 1/3 of the total company), split between two groups, and ypldap only shows about 2/3 of each group, or about 100 people. You could MAYBE manage 200 if you used shorter usernames. But maybe we're just weird, and no normal company puts more than 100 people in a group :-) In any case, thanks for the information. I guess I'll start looking at other OS options. That stinks - I like OpenBSD. ----------------------------------------------- Israel Brewster Computer Support Technician II Era Alaska 5245 Airport Industrial Rd Fairbanks, AK 99709 (907) 450-7250 x7293 ----------------------------------------------- [demime 1.01d removed an attachment of type text/directory which had a name of Israel Brewster.vcf]
