New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Do not treat LDAP adminLimitExceeded as an error #1091

Closed
hfuru opened this Issue Feb 20, 2018 · 5 comments

Comments

Projects
None yet
3 participants
@hfuru

hfuru commented Feb 20, 2018

When typing a user name to add in Configuration:Roles, Gravitee
displays a red error message if it receives LDAP adminLimitExceeded.

It should not. adminLimitExceeded is a normal occurrence with
some kinds of searches, like substring search. It means the
server rejects this operation or part of it, maybe because the
search term was too general. This is independent of
client-specified limits, which are applied during the operation.

Expected Behavior

No error message, or only in debug mode when an admin is trying
to find out why their LDAP config doesn't work. Or always display it,
but not as an error/warning - just info about how the search is going.

Current Behavior

Our LDAP is configured to return adminLimitExceeded if there
would be too many matches. It just would be annoying to return
sizeLimitExceeded and some arbitrary matching users. With our
60000 users, the list would rarely include the desired match.

So Gravitee displays red errors while the user types the first
characters in a name, then switches to displaying a list of users
when there are few enough matches and LDAP does return them.

Possible Solution

Steps to Reproduce (for bugs)

  1. Set up Gravitee to use LDAP
  2. Set up LDAP to return adminLimitExceeded in some cases. With OpenLDAP,
    e.g. with "olcSizeLimit: size.unchecked=200": Fail if more than 200 matches after
    consulting indexes. Note that this number includes possible hash collisions, so
    it should be higher than the actual desired max.
  3. In the browser, go to Administration:Configuration:Roles:(add a user).
  4. Start typing a user name.

Context

I don't want it to look like something is wrong when all is well.

Your Environment

  • Version used: graviteeio-full-1.13.3
  • Browser Name and version: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
  • Operating System and version: RedHat Linux, RHEL 7.4

@hfuru hfuru changed the title from Do not LDAP adminLimitExceeded as an error to Do not treat LDAP adminLimitExceeded as an error Feb 20, 2018

@brasseld brasseld self-assigned this Feb 21, 2018

@brasseld brasseld added this to the 1.14.0 milestone Feb 21, 2018

@brasseld

This comment has been minimized.

Member

brasseld commented Feb 21, 2018

I had a try with Apache Directory Studio, setting ads-maxSizeLimit to a low value (20) but it seems that the behavior of ADS is not the same as OpenLDAP.

Also, what I do not understand is that when doing a search we are clearly asking to limit the number of results, so I don't know how we can reach this adminLimitExceed.

LdapQuery ldapQuery = LdapQueryBuilder
             .query()
             .base(baseDn)
             .countLimit(20)
             .timeLimit(5000)
             .searchScope(SearchScope.SUBTREE)
             .attributes(
                     LDAP_ATTRIBUTE_GIVENNAME,
                     LDAP_ATTRIBUTE_SURNAME,
                     LDAP_ATTRIBUTE_MAIL,
                     LDAP_ATTRIBUTE_DISPLAYNAME)
             .filter(new AndFilter().and(classFilter).and(queryFilter));

@brasseld brasseld removed this from the 1.14.0 milestone Feb 21, 2018

@hfuru

This comment has been minimized.

hfuru commented Feb 21, 2018

@hfuru

This comment has been minimized.

hfuru commented Feb 21, 2018

@brasseld

This comment has been minimized.

Member

brasseld commented Feb 21, 2018

Ok I got it with your LDAP.

So in that case, the search returns an empty list and we add a WARN log in the mgmt-api log files.

Is this ok for you ?

@hfuru

This comment has been minimized.

hfuru commented Feb 21, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment