pam_auth group selection issue with more than 128 groups membership
We have got an issue with group selection when an account has more than 32 connected linux groups with it. User with memberships 33 and more groups successfully authenticate but pass to a default group with no custom routes. I guess, so it's an pam module issue, but have no idea how to fix it.
----config file ----
/etc/ocserv/ocserv.conf
auth = "pam[gid-min=10000]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /var/run/ocserv-socket
isolate-workers = true
max-clients = 16
max-same-clients = 2
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
cert-user-oid = 0.9.2342.19200300.100.1.1
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
auth-timeout = 40
min-reauth-time = 3
max-ban-score = 50
ban-reset-time = 300
cookie-timeout = 300
cookie-rekey-time = 14400
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-utmp = false
use-occtl = true
pid-file = /var/run/ocserv.pid
device = vpns
predictable-ips = true
compression = true
ipv4-network = 10.130.136.0/24
ping-leases = false
#restrict-user-to-routes = true
append-global-routes = false
select-group = SA
select-group = Users
auto-select-group = false
config-per-user = /etc/ocserv/config-per-user
config-per-group = /etc/ocserv/config-per-group
route-add-cmd = "ip route add %{R} dev %{D}"
route-del-cmd = "ip route delete %{R} dev %{D}"
cisco-client-compat = true
---pam module---
/etc/pam.d/ocserv
#%PAM-1.0
auth sufficient pam_ldap.so debug
account sufficient pam_ldap.so debug
password sufficient pam_ldap.so debug
---affected user---
Please enter your username.
Username:******
POST https://************/auth
> POST /auth HTTP/1.1
> Host: ***********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 0000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 234
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version who="vpn">v7.06</version><device-id>linux-64</device-id><auth><username>******</username></auth><group-select>SA</group-select></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Max-Age=300; Secure
Content-Type: text/xml
Content-Length: 310
X-Transcend-Version: 1
HTTP body length: (310)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="auth-request">
< <version who="sg">0.1(1)</version>
< <auth id="main">
< <message>Please enter your password.</message>
< <form method="post" action="/auth">
< <input type="password" name="password" label="Password:" />
< </form></auth>
< </config-auth>
Please enter your password.
Password:
POST https://************/auth
> POST /auth HTTP/1.1
> Host: *********
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==
> Accept: */*
> Accept-Encoding: identity
> X-Transcend-Version: 1
> X-Aggregate-Auth: 1
> X-AnyConnect-Platform: linux-64
> X-Support-HTTP-Auth: true
> X-Pad: 00000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 209
>
> <?xml version="1.0" encoding="UTF-8"?>
> <config-auth client="vpn" type="auth-reply"><version who="vpn">v7.06</version><device-id>linux-64</device-id><auth><password>******</password></auth></config-auth>
Got HTTP response: HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/xml
Content-Length: 189
X-Transcend-Version: 1
Set-Cookie: webvpncontext=nxFuXVMj9t6Ij+Q5VFiN8Q==; Secure
Set-Cookie: webvpn=<elided>; Secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure
Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:6260E353917A21CE78512A34BBD88075DD2B519D; path=/; Secure
HTTP body length: (189)
< <?xml version="1.0" encoding="UTF-8"?>
< <config-auth client="vpn" type="complete">
< <version who="sg">0.1(1)</version>
< <auth id="success">
< <title>SSL VPN Service</title></auth></config-auth>
> CONNECT /CSCOSSLC/tunnel HTTP/1.1
> Host: ***************
> User-Agent: Open AnyConnect VPN Agent v7.06
> Cookie: webvpn=+oCba/+cb3XchxQ3zYW0nMO37/YB9cGN2JBFzv3FdGFe0Xx1ZNbvPjoejh5VGPlC2EF8VE5fjLcERfN88Vh7L5M7VTNClfPIaHzkCb7jblIgXQ==
> X-CSTP-Version: 1
> X-CSTP-Hostname: box3
> X-CSTP-Accept-Encoding: oc-lz4,lzs
> X-CSTP-MTU: 1406
> X-CSTP-Address-Type: IPv6,IPv4
> X-CSTP-Full-IPv6-Capability: true
> X-DTLS-Master-Secret: B1AB2E0AE81A306466F2F75347A9E1CE8FBDBA4535CCDD6C97D28D990C0207947D0EB83F2145DFCE6C04D701DF947778
> X-DTLS-CipherSuite: OC-DTLS1_2-AES256-GCM:OC-DTLS1_2-AES128-GCM:AES256-SHA:AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA
> X-DTLS-Accept-Encoding: oc-lz4,lzs
>
Got CONNECT response: HTTP/1.1 200 CONNECTED
X-CSTP-Version: 1
X-CSTP-Server-Name: ocserv 0.10.11
X-CSTP-DPD: 90
X-CSTP-Default-Domain: ******************
X-CSTP-Base-MTU: 1355
X-CSTP-Address: 10.130.136.29
X-CSTP-Netmask: 255.255.255.0
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Split-DNS: ********
X-CSTP-Tunnel-All-DNS: false
X-CSTP-Keepalive: 32400
X-CSTP-Idle-Timeout: none
X-CSTP-Smartcard-Removal-Disconnect: true
X-CSTP-Rekey-Time: 172813
X-CSTP-Rekey-Method: ssl
X-CSTP-Session-Timeout: none
X-CSTP-Disconnected-Timeout: none
X-CSTP-Keep: true
X-CSTP-TCP-Keepalive: true
X-CSTP-License: accept
X-DTLS-Session-ID: afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
X-DTLS-DPD: 90
X-DTLS-Port: 443
X-DTLS-Rekey-Time: 172823
X-DTLS-Rekey-Method: ssl
X-DTLS-Keepalive: 32400
X-DTLS-CipherSuite: OC-DTLS1_2-AES128-GCM
X-DTLS-MTU: 1289
X-CSTP-MTU: 1289
X-DTLS-Content-Encoding: oc-lz4
X-CSTP-Content-Encoding: oc-lz4
CSTP connected. DPD 90, Keepalive 32400
CSTP Ciphersuite: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
DTLS option X-DTLS-Session-ID : afe8f4769e3a279a7b2ccdb5f8dd97897c4549dbc102f7c43164523a64857f50
DTLS option X-DTLS-DPD : 90
DTLS option X-DTLS-Port : 443
DTLS option X-DTLS-Rekey-Time : 172823
DTLS option X-DTLS-Rekey-Method : ssl
DTLS option X-DTLS-Keepalive : 32400
DTLS option X-DTLS-CipherSuite : OC-DTLS1_2-AES128-GCM
DTLS option X-DTLS-MTU : 1289
DTLS option X-DTLS-Content-Encoding : oc-lz4
DTLS initialised. DPD 90, Keepalive 32400
Connected tun0 as 10.130.136.29, using SSL + lz4
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-128-GCM).
Edited by Nikos Mavrogiannopoulos