[
https://issues.apache.org/jira/browse/GUACAMOLE-702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16750539#comment-16750539
]
Nick Couchman commented on GUACAMOLE-702:
-----------------------------------------
[~mike.jumper] Thoughts on this one? I'd like to get GUACAMOLE-234 into the
next release, which may resolve the issue, but we could also change the
behavior of the `ObjectQueryService` class to match the previous behavior, and,
instead of throwing an exception, it could just log an error and return a
`null` value?
> LDAP login impossible for large directories (large search results)
> ------------------------------------------------------------------
>
> Key: GUACAMOLE-702
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-702
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 1.0.0
> Environment: I'm running guacamole in a docker environment using the
> official base images and a MySQL database. Users are authenticated against an
> Active Directory server in combination with the MySQL database. (Although if
> my assumptions are correct, all of this will be irrelevant)
> Reporter: Micha Kohl
> Priority: Major
>
> I'm running into an issue that prevents me from logging in with LDAP
> authentication configured, which I assume to be the actual source of
> -GUACAMOLE-687- as well (which is why I originally commented on the closed
> issue before I decided to create a new one in the end).
> The login page error message I'm facing is:
> {quote}Unable to query list of objects from LDAP directory.
> {quote}
> which I assume stems from
> [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L231]
> in the new {{ObjectQueryService}}. There is nothing in the log indicating
> the source of this error, a debug log shows the line produced
> [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L194]
> and nothing more.
> This seems to be a problem with the size of the result as limiting the
> potential results via a restrictive {{ldap-user-search-filter}} fixes the
> issue.
> After digging through the code to confirm that nothing has changed
> fundamentally about the way LDAP queries are performed, I noticed that in
> version 0.9.14, the same scenario triggered a warning via this [catch
> block|https://github.com/apache/guacamole-client/blob/1c5951b6ac322a0d1e87ab787803275438d53983/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java#L180],
> allowing the login process to continue normally, while it appears that in
> 1.0.0, the exception will prevent a login altogether.
> I was unable to work around this by increasing {{ldap-max-search-results}},
> which might be related to a separate issue (GUACAMOLE-299). As it stands,
> this means that I will not be able to use version 1.0.0 without maintaining a
> continuously updated {{ldap-user-search-filter}}, unless I'm missing
> something here.
> If this change was by design, I must say that I do not agree with the
> decision as long as {{ldap-max-search-results}} is buggy, as I don't see any
> problems with the old behavior: As long as the user can be successfully
> authenticated against LDAP, the only shortcoming was that the user listing in
> the web interface was incomplete, which is an annoyance at best.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
