Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldap search with paging #8310

Closed
wants to merge 1 commit into from
Closed

ldap search with paging #8310

wants to merge 1 commit into from

Conversation

jackielii
Copy link

this fixes #7702

@hashicorp-cla
Copy link

hashicorp-cla commented Feb 6, 2020
edited

CLA assistant check
All committers have signed the CLA.

@jackielii
Copy link
Author

already done the cla, somehow it still shows not signed

@tyrannosaurus-becks tyrannosaurus-becks self-assigned this Mar 24, 2020
@tyrannosaurus-becks
Copy link
Contributor

Hi @jackielii , thank you for providing this pull request!

To err on the side of caution, would it be possible to add an LDAP configuration parameter of ldap_search_page_size and default it to 0? Then the logic would be, if it's set to > 0, use pagination, otherwise don't?

The reason is, I'd like to maintain the exact current behavior for folks unless they elect to set the page size. Then we can fix the problem, while also being 100% sure we won't break anything for anyone.

@tyrannosaurus-becks
Copy link
Contributor

Also, I'm not sure why the CLA signing isn't working, could there be a mismatch between the email that Github thinks was used for this pull request, and the email that Github thinks you're using to sign it? Or maybe it was a transient failure? Would you be willing to try again?

Sorry for the trouble with it! :-)

@tyrannosaurus-becks tyrannosaurus-becks added bug Used to indicate a potential bug helper/ldaputil labels Mar 24, 2020
@jackielii
Copy link
Author

@tyrannosaurus-becks no probs. Just amended the commit message for the author email.

when it comes to ldap_search_page_size, as the comment says:

// LDAPSearchPageSize is the page size to search LDAP directory.
// Default size is usually 1000, but this number doesn't affect the result.
// It only affect the number of round trips the client has to do.
var LDAPSearchPageSize uint32 = 500

The paging is done within the call conn.SearchWithPaging, it only affects how many round trips it has to use, it always returns the full set as a slice. I know, this feels like a wired API.

@tyrannosaurus-becks tyrannosaurus-becks removed their assignment May 28, 2020
@ncabatoff
Copy link
Collaborator

Hi @jackielii,

I agree with @tyrannosaurus-becks, I think for backwards-compatibility reasons we should make the new behaviour opt-in with a config option. There are so many different LDAP/AD implementations out there that I'm afraid without the opt-in behaviour that we're likely to have a regression somewhere.

@jackielii
Copy link
Author

jackielii commented Jul 8, 2020
edited

Hi @jackielii,

I agree with @tyrannosaurus-becks, I think for backwards-compatibility reasons we should make the new behaviour opt-in with a config option. There are so many different LDAP/AD implementations out there that I'm afraid without the opt-in behaviour that we're likely to have a regression somewhere.

Sorry for the late reply, as I mentioned in the earlier comments: this doesn't change the behavior of the search, it only allows searching against a bigger directory.

I think the confusion comes from the SearchWithPaging vs Search: if you look at the API for SearchWithPaging. It states that:

SearchWithPaging accepts a search request and desired page size in order to execute LDAP queries to fulfill the search request. All paged LDAP query responses will be buffered and the final result will be returned atomically.

A requested pagingSize of 0 is interpreted as no limit by LDAP servers.

Search is basically SearchWithPaging with pagingSize of 0. This might be fine for some LDAP implementations, but on the MS Active Directory it triggers an error LDAP Result Code 4 "Size Limit Exceeded"

So in summary, SearchWithPaging is really just a safer Search

@useful-devops-tools
Copy link

@ncabatoff and @jackielii

Is there any update on this Pull request?
We're running into the same issue now:
LDAP Result Code 4 "Size Limit Exceeded

It looks like this PR would solve the issue with pagination.

@ncabatoff
Copy link
Collaborator

So in summary, SearchWithPaging is really just a safer Search

I am anything but an expert in LDAP, so take this with a grain of salt, but: I don't believe the above is true. At a high level, perhaps, but in practice from looking at rfc2696 and the openldap client code linked, SearchWithPaging uses an LDAP extension and does not issue the same request as Search does just with a 0 instead of a non-zero page size. The RFC is over 20y old now, probably everyone supports this extension at this point, but my experience with LDAP implementations is that they have subtle differences that can come back to bite you.

I maintain my belief that we should make this opt-in behaviour using a new config option. In any event, isn't it desirable to be able to configure the paging size?

@ncabatoff ncabatoff removed their request for review January 21, 2022 16:58
@nordicmachine nordicmachine mentioned this pull request Jan 27, 2023
Closed
@ltcarbonell
Copy link
Contributor

Closing out this PR, work duplicated by the change here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hghaf099 hghaf099 Awaiting requested review from hghaf099

Assignees
No one assigned
Labels
bug Used to indicate a potential bug helper/ldaputil
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

LDAP search failed: Result Code 4 "Size Limit Exceeded"
8 participants
@jackielii @hashicorp-cla @tyrannosaurus-becks @ncabatoff @useful-devops-tools @ltcarbonell @pmmukh @hsimon-hashicorp