You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Nick Couchman (Jira)" <ji...@apache.org> on 2021/05/17 18:50:00 UTC
[jira] [Assigned] (GUACAMOLE-1130) Ignore non-relevant attributes
for objects returned by LDAP Queries
[ https://issues.apache.org/jira/browse/GUACAMOLE-1130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Couchman reassigned GUACAMOLE-1130:
----------------------------------------
Assignee: (was: Nick Couchman)
> Ignore non-relevant attributes for objects returned by LDAP Queries
> -------------------------------------------------------------------
>
> Key: GUACAMOLE-1130
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1130
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Edgardo Rodriguez
> Priority: Minor
> Fix For: 1.4.0
>
>
> I will briefly try to summarize my motivation on this, since guacamole got migrated to Apache Directory API ( GUACAMOLE-234 ) I began to see several messages like this on my logs.
> * Approximately 8 times per-login (I have approx 80 user-logins per day, so logs get quite big because of this).
> * This certainly has to do with my infrastructure (the attributed that is duplicated and the amount of logs), so pattern might vary and mostly being noticed on Active-Directory environments. Others already mentioned this and it`s shown in issue mentioned above. Other examples from a quick-search: [example1|http://mail-archives.apache.org/mod_mbox/guacamole-dev/201906.mbox/%3C156081210953.28315.1595760006523730577.gitbox@gitbox.apache.org%3E] [example2|https://www.mail-archive.com/search?l=dev@guacamole.apache.org&q=subject:%22%5C%5BGitHub%5C%5D+%5C%5Bguacamole%5C-client%5C%5D+mike%5C-jumper+commented+on+issue+%23345%5C%3A+GUACAMOLE%5C-234%5C%3A+Migrate+to+Apache+Directory+API+for+LDAP+Extension%22&o=newest&f=1]
> * Logs are like these:
> {code:java}
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the attribute (msDS-RevealedDSAs){code}
> The key for me was, why was guacamole considering in any way attributes that are completely irrelevant like *msDS-RevealedDSAs*?
>
> I made a few tweaks in the code to filter returned data from ldap using *SearchRequest* [addAttribute|https://docs.oracle.com/cd/E49437_01/apirefs.111220/e38583/oracle/oud/requests/SearchRequest.html#addAttribute_java_lang_String____] and taking advantage of already "knowing" which attributes are really relevant (and looking forward to retrieve). In this way for example:
> Instead of (wasting memory?) retrieving all the attributes an object might hold we tell SearchRequest to, in case of a group, get the attribute defined in configuration that hold group name (*ldap-group-name-attribute*) and the attribute defined in configuration that tells which attributes hold group members(*ldap-member-attribute-type*). The same applies for user objects.
> In case of LDAP being used for connection storage (guac* attributes) the original "way" should be in place for retrieving anything as I can not replicate such scenario. Perhaps I am wrong, but I really need someone to help me out in this matter.
> As for "normal" LDAP use, the pull request that will be submitted was tested, also *ldap-user-attributes* is being used so it's working OK (e.g. not being filtered out).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)