You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@guacamole.apache.org by "Micha Kohl (JIRA)" <ji...@apache.org> on 2019/01/15 09:51:00 UTC

[jira] [Created] (GUACAMOLE-702) LDAP login impossible for large directories (large search results)

Micha Kohl created GUACAMOLE-702:
------------------------------------

             Summary: LDAP login impossible for large directories (large search results)
                 Key: GUACAMOLE-702
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-702
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-auth-ldap
    Affects Versions: 1.0.0
         Environment: I'm running guacamole in a docker environment using the official base images and a MySQL database. Users are authenticated against an Active Directory server in combination with the MySQL database. (Although if my assumptions are correct, all of this will be irrelevant)
            Reporter: Micha Kohl


I'm running into an issue that prevents me from logging in with LDAP authentication configured, which I assume to be the actual source of -GUACAMOLE-687- as well.

The login page error message I'm facing is:
{quote}Unable to query list of objects from LDAP directory.
{quote}
which I assume stems from [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L231] in the new {{ObjectQueryService}}. There is nothing in the log indicating the source of this error, a debug log shows the line produced [here|https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/ObjectQueryService.java#L194] and nothing more.

This seems to be a problem with the size of the result as limiting the potential results via a restrictive {{ldap-user-search-filter}} fixes the issue.

After digging through the code to confirm that nothing has changed fundamentally about the way LDAP queries are performed, I noticed that in version 0.9.14, the same scenario triggered a warning via this [catch block|https://github.com/apache/guacamole-client/blob/1c5951b6ac322a0d1e87ab787803275438d53983/extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/user/UserService.java#L180], allowing the login process to continue normally, while it appears that in 1.0.0, the exception will prevent a login altogether.

I was unable to work around this by increasing {{ldap-max-search-results}}, which might be related to a separate issue (GUACAMOLE-299). As it stands, this means that I will not be able to use version 1.0.0 without maintaining a continuously updated {{ldap-user-search-filter}}, unless I'm missing something here.

If this change was by design, I must say that I do not agree with the decision as long as {{ldap-max-search-results}} is buggy, as I don't see any problems with the old behavior: As long as the user can be successfully authenticated against LDAP, the only shortcoming was that the user listing in the web interface was incomplete, which is an annoyance at best.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)