Longer group name limit to accommodate longer LDAP group name sync. #5295
Comments
|
Our groups are also local groups, which have a 32 character limit, so unfortunately that's not easy to solve. |
|
That too bad, there is no chance a future opnsense version could update the backend to allow 64 chars? |
|
I don't expect so, no, as it will cause issues on local (shell) accounts that are impossible to fix. It might be possible to cut the first 32 characters from the remote end during matching (or strip a prefix/suffix), but this likely will only solve part of the issues. |
|
No worries, thanks for the background info. |
|
While talking about a similar issue, we internally concluded that there might be options to solve this in the long run by allowing to set an alias (or external) name on the group which if available will be used as synchronisation anchor. In which case the internal group name is always a valid one, but externally you could use a longer one. The idea and naming probably needs some more thinking..... if you do want to re-open this issue, feel free to do so. |
We use LDAP as an authentication source of opnsense.
When using ldap membership synchronization you need to manually create the group before its considered in the authentication process.
The bug is that the group name field in opnsense is limited to 32 characters.
Our company policy dictates a longer naming convention, easily surpassing 40 characters in LDAP/AD.
This makes the group synchronization function unusable for us.
Not sure if this classifies as a bug, or if it should be considered a feature request.
Anyway, a longer limit (lets say 64 chars) would solve my problem.
Thanks for considering!
The text was updated successfully, but these errors were encountered: