[ https://issues.apache.org/jira/browse/GUACAMOLE-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750539#comment-16750539 ]
Nick Couchman commented on GUACAMOLE-702: ----------------------------------------- [~mike.jumper] Thoughts on this one? I'd like to get GUACAMOLE-234 into the next release, which may resolve the issue, but we could also change the behavior of the `ObjectQueryService` class to match the previous behavior, and, instead of throwing an exception, it could just log an error and return a `null` value? > LDAP login impossible for large directories (large search results) > ------------------------------------------------------------------ > > Key: GUACAMOLE-702 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-702 > Project: Guacamole > Issue Type: Bug > Components: guacamole-auth-ldap > Affects Versions: 1.0.0 > Environment: I'm running guacamole in a docker environment using the > official base images and a MySQL database. Users are authenticated against an > Active Directory server in combination with the MySQL database. (Although if > my assumptions are correct, all of this will be irrelevant) > Reporter: Micha Kohl > Priority: Major > > I'm running into an issue that prevents me from logging in with LDAP > authentication configured, which I assume to be the actual source of > -GUACAMOLE-687- as well (which is why I originally commented on the closed > issue before I decided to create a new one in the end). > The login page error message I'm facing is: > {quote}Unable to query list of objects from LDAP directory. > {quote} > which I assume stems from > [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L231] > in the new {{ObjectQueryService}}. There is nothing in the log indicating > the source of this error, a debug log shows the line produced > [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L194] > and nothing more. > This seems to be a problem with the size of the result as limiting the > potential results via a restrictive {{ldap-user-search-filter}} fixes the > issue. > After digging through the code to confirm that nothing has changed > fundamentally about the way LDAP queries are performed, I noticed that in > version 0.9.14, the same scenario triggered a warning via this [catch > block|https://github.com/apache/guacamole-client/blob/1c5951b6ac322a0d1e87ab787803275438d53983/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java#L180], > allowing the login process to continue normally, while it appears that in > 1.0.0, the exception will prevent a login altogether. > I was unable to work around this by increasing {{ldap-max-search-results}}, > which might be related to a separate issue (GUACAMOLE-299). As it stands, > this means that I will not be able to use version 1.0.0 without maintaining a > continuously updated {{ldap-user-search-filter}}, unless I'm missing > something here. > If this change was by design, I must say that I do not agree with the > decision as long as {{ldap-max-search-results}} is buggy, as I don't see any > problems with the old behavior: As long as the user can be successfully > authenticated against LDAP, the only shortcoming was that the user listing in > the web interface was incomplete, which is an annoyance at best. -- This message was sent by Atlassian JIRA (v7.6.3#76005)