Radius to LDAP Mapping does not pass more than 10 LDAP Groups

book

Article ID: 160929

calendar_today

Updated On:

Products

VIP Enterprise Gateway

Issue/Introduction

Customer enabled Radius to LDAP Mapping. Customer has a user that is member of 62 LDAP groups. The Validation server logs shows that only 10 groups are identified. Here are the examples of the error received for the other groups:

ERROR    "2013-06-04 09:23:09.443 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 10" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.443 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 11" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.443 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 12" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.443 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 13" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.444 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 14" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.444 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 15" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.444 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 16" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.444 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 17" Thread-105098096 VSAuthOTPFirstFactorImpl.c
ERROR    "2013-06-04 09:23:09.444 GMT+0300" 0.0.0.0 ValidationEngine 0 0 "text=VSAuthOTPFirstFactorImpl.authenticateExt() -- freeing additional values at index 18" Thread-105098096 

Cause

The default number of attributes in RADIUS response is 10. However, this value can be increased by modifying the server.max_attributes_in_response parameter which is located in radserver.conf file under  \validation\servers\valServer\conf  directory.

 

Resolution

The default value can be increased by modifying the server.max_attributes_in_response parameter which is located in radserver.conf file under  \validation\servers\valServer\conf  directory.
Please note that RADIUS response max length is 4096 bytes. Therefore, whether all 62 LDAP groups can be returned within a payload of 4096 bytes depends on the length of the LDAP group names. If the average length is less than or around 50 bytes, then they should all be returned. If it is much larger than 50 bytes, some of them will be truncated.