RSS feed

Re: [PATCH] increase filter_buffer size in try_autzsearch

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [PATCH] increase filter_buffer size in try_autzsearch

Hash: SHA1

On 03/16/2012 03:22 AM, Arthur de Jong wrote:
> On Thu, 2012-03-15 at 10:19 -0500, Chris J Arges wrote:
>> Attached is a patch that addresses a bug described in: 
The filter_buffer in try_autzsearch in nslcd/pam.c currently is 1024
>> bytes in length. By increasing this array size, larger search
>> filters can be used.
>> Let me know if this is the right approach, or if a better
>> technique is needed to fix the situation described in the bug.
> As I understand the bug report the problem was that there was no
> clear error logged when the try_autzsearch failed due to a long
> search filter. The logged error was: pam_authz_search "..." is
> invalid and if ... was very long the line would be cut short and
> the is invalid would be lost. In r1628 I've changed the log message
> to invalid pam_authz_search "...." which means that the core of the
> log message will still be intact even if the line ends up being too
> long.
> Allowing bigger filters is certainly a possibility but not really
> the issue at this point. If someone can come up with a practical
> search that will not fit in the buffer I'll increase it.

A generalized example of a larger buffer would the following:

Since the pam_authz_search filter takes the following form:

where the <group_spec1> ... <group_specN> values refer to LDAP served
groups and are specified as follows:


The <group_name> values vary in length from ~10 to ~24 characters
long, meaning that each <group_specX> entry varies in length between
~50 and ~64 characters, which effectively limits the pam_authz_search
filter expression to only supportting between 15 and 20 or so groups
when they are specified in this fashion.

In use cases where there are a larger number of groups, this is limiting.

Let me know if there is a better way to accomplish this.
- --chris j arges
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla -

To unsubscribe send an email to or see