ldapmavis-mt doesn't pass all memberOf groups back to tac_plus-ng
Closed this issue · 3 comments
Hi Marc,
I've noticed that when using ldapmavis-mt, pcre matching memberOf in tac_plus-ng doesn't get to evaluate all the groups the user is actually a member of.
I first noticed this in the debug output of an authorization request that when using ldapmavis-mt the "MEMBEROF" was (len: 8279), compared to when using mavis_tacplus-ng_ldap.pl for the same user, I would see a MEMBEROF (len: 17328)
Then I took a pcap and I noticed the initial LDAP query for attributes (&(objectclass=user)(sAMAccountName=sanjmonkey)) was the same between both ldapmavis-mt and mavis_tacplus-ng_ldap.pl, and the memberOf membership returned was the same quantity and groups (153 groups in this case). However, in the ldapmavis-mt pcap, the iteration of subsequent LDAP queries to look at memberOf all the groups returned in the first query, fell short of the total number of groups and less than those looked up by mavis_tacplus-ng_ldap.pl.
This prompted a closer look :)
I don't have a lot of c experience and debugging c is very rusty, but I noticed in all the cases where we don't lookup a group returned, we seem to always hit ldapmavis-mt.c#L359 with an rc value of -1. I also further noticed that in ldapmavis-mt.c#L310 we dont always seem to read all the string (but this could be my inability to debug threaded c properly).
Sandy
Hi Sandy,
thanks for catching this. Could you please check whether 937ae9b fixes this issue?
Thanks again,
Marc
That fixes it, thanks Marc!
Hi Sandy,
thanks for reporting and testing!
Cheers,
Marc