Re: LDAPConnection a size limit of 1000 ?

[Peter Burdine <pb...@gmail.com>]

Sorry to bring this up again.  I am looking to use this to setup a system
that has just over 1000 users.  I am planning on using LDAP for auth, but
MySQL for connectivity data.  Does this issue affect the ability for some
users to login, or does it just affect the ability to see all of the LDAP
users in the admin pages?  I don't see this info in the Jira ticket or PR
discussion.

Thanks,
Peter

On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner <james.muehlner@guac-dev.org
> wrote:

> Hey Herve,
>
> I see that you created the pull request and associated ticket. Great!
> Let's move the discussion over to Github at this point.
>
> James
>
>
>
> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
> wrote:
>
>> Hi James,
>> did my homework (though this was my first time with git :p ).
>> The code in itself is not dirty (I hope ;), I just meant that it would
>> better to get the results from ldap as mentionned by RFC 2696. But IMHO
>> nowadays we can get more than 1000 results using a search in a ldap
>> directory...
>>
>> Hervé
>>
>>
>>
>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner <
>> james.muehlner@guac-dev.org> wrote:
>>
>>> Greetings Herve,
>>>
>>> In order to accept code changes into the project, we'll need a pull
>>> request on GitHub <https://github.com/apache/incubator-guacamole-client>,
>>> and a corresponding JIRA issue in the Apache JIRA
>>> <https://issues.apache.org/jira/browse/GUACAMOLE>. See our contribution
>>> guidelines <https://guacamole.incubator.apache.org/open-source/> for
>>> more information.
>>>
>>> As a side note, we're always happy to accept code contributions from the
>>> community, but we do try to make sure that the contributions are always up
>>> to our code quality standards. If you feel that your patch is a bit dirty,
>>> it may have to be cleaned up a bit before we're ready to accept it upstream.
>>>
>>> James
>>>
>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <he...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>> If your active directory contains more than 1000 users in the search
>>>> OU, you'll need to :
>>>>  - Configure your active directory to extend the MaxPageSize limit
>>>> (default 1000) https://technet.microsoft.com/
>>>> en-us/library/cc770976%28v=ws.11%29.aspx
>>>> - Use the included patch (a bit dirty, as it would be better to fetch
>>>> results according to the max page size, but works for me) :
>>>>    - it enable the possibility to get more than 1000 results for a ldap
>>>> request for the guacamole-client. You will have to add ldap-maxresults:
>>>> 2000   (or the value you need) in your guacamole.properties file.
>>>>
>>>> Have fun.
>>>> Hervé
>>>>
>>>
>>>
>>
>

Re: LDAPConnection a size limit of 1000 ?

[Herve Guehl <he...@gmail.com>]

Hi Peter,
You won't see all the users in the admin pages, then you won't be able to
assign rights and connections to the user.
Authentification will work, so you can manage to assign connections
directly in mysql.

Regards.
Hervé


On Tue, Sep 13, 2016 at 2:34 AM, Peter Burdine <pb...@gmail.com> wrote:

> Sorry to bring this up again.  I am looking to use this to setup a system
> that has just over 1000 users.  I am planning on using LDAP for auth, but
> MySQL for connectivity data.  Does this issue affect the ability for some
> users to login, or does it just affect the ability to see all of the LDAP
> users in the admin pages?  I don't see this info in the Jira ticket or PR
> discussion.
>
> Thanks,
> Peter
>
> On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner <
> james.muehlner@guac-dev.org> wrote:
>
>> Hey Herve,
>>
>> I see that you created the pull request and associated ticket. Great!
>> Let's move the discussion over to Github at this point.
>>
>> James
>>
>>
>>
>> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
>> wrote:
>>
>>> Hi James,
>>> did my homework (though this was my first time with git :p ).
>>> The code in itself is not dirty (I hope ;), I just meant that it would
>>> better to get the results from ldap as mentionned by RFC 2696. But IMHO
>>> nowadays we can get more than 1000 results using a search in a ldap
>>> directory...
>>>
>>> Hervé
>>>
>>>
>>>
>>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner <
>>> james.muehlner@guac-dev.org> wrote:
>>>
>>>> Greetings Herve,
>>>>
>>>> In order to accept code changes into the project, we'll need a pull
>>>> request on GitHub
>>>> <https://github.com/apache/incubator-guacamole-client>, and a
>>>> corresponding JIRA issue in the Apache JIRA
>>>> <https://issues.apache.org/jira/browse/GUACAMOLE>. See our contribution
>>>> guidelines <https://guacamole.incubator.apache.org/open-source/> for
>>>> more information.
>>>>
>>>> As a side note, we're always happy to accept code contributions from
>>>> the community, but we do try to make sure that the contributions are always
>>>> up to our code quality standards. If you feel that your patch is a bit
>>>> dirty, it may have to be cleaned up a bit before we're ready to accept it
>>>> upstream.
>>>>
>>>> James
>>>>
>>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <he...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>> If your active directory contains more than 1000 users in the search
>>>>> OU, you'll need to :
>>>>>  - Configure your active directory to extend the MaxPageSize limit
>>>>> (default 1000) https://technet.microsoft.com/
>>>>> en-us/library/cc770976%28v=ws.11%29.aspx
>>>>> - Use the included patch (a bit dirty, as it would be better to fetch
>>>>> results according to the max page size, but works for me) :
>>>>>    - it enable the possibility to get more than 1000 results for a
>>>>> ldap request for the guacamole-client. You will have to add ldap-maxresults:
>>>>> 2000   (or the value you need) in your guacamole.properties file.
>>>>>
>>>>> Have fun.
>>>>> Hervé
>>>>>
>>>>
>>>>
>>>
>>
>

Re: LDAPConnection a size limit of 1000 ?

[Mike Jumper <mi...@guac-dev.org>]

Correct:

Scope of 0.9.10-incubating is frozen, so we can't add it to the release
even though it has otherwise passed review.

You will be able to find it on master post-release, and you can definitely
test the patch as it stands.

- Mike

On Sep 13, 2016 12:31 PM, "Herve Guehl" <he...@gmail.com> wrote:

> Hi,
> AFAIK the patch won't be included in 0.9.10
>
> Cheers.
> H.
>
>
> On Tue, Sep 13, 2016 at 8:53 PM, Peter Burdine <pb...@gmail.com> wrote:
>
>> I thought that was the case.  That just means worst case, I have to
>> create the user in the DB manually (with the correct matching user name),
>> then assign the connections until 0.9.10 comes out and the limit is
>> increased.
>>
>> Thanks for the clarification!
>>
>> On Tue, Sep 13, 2016 at 12:18 AM, Mike Jumper <mi...@guac-dev.org>
>> wrote:
>>
>>> The issue should only affect the ability to see the LDAP users in the
>>> admin pages. That's the only place that a query retrieving all users
>>> is attempted.
>>>
>>> The authentication process involves either (1) binding using a DN
>>> derived directly from the username provided or (2) binding using a
>>> dedicated search DN for the sake of querying the DN of the user having
>>> the username provided, and then binding as THAT user. At most,
>>> authentication will involve retrieving a single entry; nothing near
>>> the default limit of 1000 entries.
>>>
>>> - Mike
>>>
>>>
>>> On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine <pb...@gmail.com>
>>> wrote:
>>> > Sorry to bring this up again.  I am looking to use this to setup a
>>> system
>>> > that has just over 1000 users.  I am planning on using LDAP for auth,
>>> but
>>> > MySQL for connectivity data.  Does this issue affect the ability for
>>> some
>>> > users to login, or does it just affect the ability to see all of the
>>> LDAP
>>> > users in the admin pages?  I don't see this info in the Jira ticket or
>>> PR
>>> > discussion.
>>> >
>>> > Thanks,
>>> > Peter
>>> >
>>> > On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner
>>> > <ja...@guac-dev.org> wrote:
>>> >>
>>> >> Hey Herve,
>>> >>
>>> >> I see that you created the pull request and associated ticket. Great!
>>> >> Let's move the discussion over to Github at this point.
>>> >>
>>> >> James
>>> >>
>>> >>
>>> >>
>>> >> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> Hi James,
>>> >>> did my homework (though this was my first time with git :p ).
>>> >>> The code in itself is not dirty (I hope ;), I just meant that it
>>> would
>>> >>> better to get the results from ldap as mentionned by RFC 2696. But
>>> IMHO
>>> >>> nowadays we can get more than 1000 results using a search in a ldap
>>> >>> directory...
>>> >>>
>>> >>> Hervé
>>> >>>
>>> >>>
>>> >>>
>>> >>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner
>>> >>> <ja...@guac-dev.org> wrote:
>>> >>>>
>>> >>>> Greetings Herve,
>>> >>>>
>>> >>>> In order to accept code changes into the project, we'll need a pull
>>> >>>> request on GitHub, and a corresponding JIRA issue in the Apache
>>> JIRA. See
>>> >>>> our contribution guidelines for more information.
>>> >>>>
>>> >>>> As a side note, we're always happy to accept code contributions
>>> from the
>>> >>>> community, but we do try to make sure that the contributions are
>>> always up
>>> >>>> to our code quality standards. If you feel that your patch is a bit
>>> dirty,
>>> >>>> it may have to be cleaned up a bit before we're ready to accept it
>>> upstream.
>>> >>>>
>>> >>>> James
>>> >>>>
>>> >>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <herve.guehl@gmail.com
>>> >
>>> >>>> wrote:
>>> >>>>>
>>> >>>>> Hi,
>>> >>>>> If your active directory contains more than 1000 users in the
>>> search
>>> >>>>> OU, you'll need to :
>>> >>>>>  - Configure your active directory to extend the MaxPageSize limit
>>> >>>>> (default 1000)
>>> >>>>> https://technet.microsoft.com/en-us/library/cc770976%28v=ws.
>>> 11%29.aspx
>>> >>>>> - Use the included patch (a bit dirty, as it would be better to
>>> fetch
>>> >>>>> results according to the max page size, but works for me) :
>>> >>>>>    - it enable the possibility to get more than 1000 results for a
>>> ldap
>>> >>>>> request for the guacamole-client. You will have to add
>>> ldap-maxresults: 2000
>>> >>>>> (or the value you need) in your guacamole.properties file.
>>> >>>>>
>>> >>>>> Have fun.
>>> >>>>> Hervé
>>> >>>>
>>> >>>>
>>> >>>
>>> >>
>>> >
>>>
>>
>>
>

Re: LDAPConnection a size limit of 1000 ?

[Herve Guehl <he...@gmail.com>]

Hi,
AFAIK the patch won't be included in 0.9.10

Cheers.
H.


On Tue, Sep 13, 2016 at 8:53 PM, Peter Burdine <pb...@gmail.com> wrote:

> I thought that was the case.  That just means worst case, I have to create
> the user in the DB manually (with the correct matching user name), then
> assign the connections until 0.9.10 comes out and the limit is increased.
>
> Thanks for the clarification!
>
> On Tue, Sep 13, 2016 at 12:18 AM, Mike Jumper <mi...@guac-dev.org>
> wrote:
>
>> The issue should only affect the ability to see the LDAP users in the
>> admin pages. That's the only place that a query retrieving all users
>> is attempted.
>>
>> The authentication process involves either (1) binding using a DN
>> derived directly from the username provided or (2) binding using a
>> dedicated search DN for the sake of querying the DN of the user having
>> the username provided, and then binding as THAT user. At most,
>> authentication will involve retrieving a single entry; nothing near
>> the default limit of 1000 entries.
>>
>> - Mike
>>
>>
>> On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine <pb...@gmail.com>
>> wrote:
>> > Sorry to bring this up again.  I am looking to use this to setup a
>> system
>> > that has just over 1000 users.  I am planning on using LDAP for auth,
>> but
>> > MySQL for connectivity data.  Does this issue affect the ability for
>> some
>> > users to login, or does it just affect the ability to see all of the
>> LDAP
>> > users in the admin pages?  I don't see this info in the Jira ticket or
>> PR
>> > discussion.
>> >
>> > Thanks,
>> > Peter
>> >
>> > On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner
>> > <ja...@guac-dev.org> wrote:
>> >>
>> >> Hey Herve,
>> >>
>> >> I see that you created the pull request and associated ticket. Great!
>> >> Let's move the discussion over to Github at this point.
>> >>
>> >> James
>> >>
>> >>
>> >>
>> >> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
>> >> wrote:
>> >>>
>> >>> Hi James,
>> >>> did my homework (though this was my first time with git :p ).
>> >>> The code in itself is not dirty (I hope ;), I just meant that it would
>> >>> better to get the results from ldap as mentionned by RFC 2696. But
>> IMHO
>> >>> nowadays we can get more than 1000 results using a search in a ldap
>> >>> directory...
>> >>>
>> >>> Hervé
>> >>>
>> >>>
>> >>>
>> >>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner
>> >>> <ja...@guac-dev.org> wrote:
>> >>>>
>> >>>> Greetings Herve,
>> >>>>
>> >>>> In order to accept code changes into the project, we'll need a pull
>> >>>> request on GitHub, and a corresponding JIRA issue in the Apache
>> JIRA. See
>> >>>> our contribution guidelines for more information.
>> >>>>
>> >>>> As a side note, we're always happy to accept code contributions from
>> the
>> >>>> community, but we do try to make sure that the contributions are
>> always up
>> >>>> to our code quality standards. If you feel that your patch is a bit
>> dirty,
>> >>>> it may have to be cleaned up a bit before we're ready to accept it
>> upstream.
>> >>>>
>> >>>> James
>> >>>>
>> >>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <he...@gmail.com>
>> >>>> wrote:
>> >>>>>
>> >>>>> Hi,
>> >>>>> If your active directory contains more than 1000 users in the search
>> >>>>> OU, you'll need to :
>> >>>>>  - Configure your active directory to extend the MaxPageSize limit
>> >>>>> (default 1000)
>> >>>>> https://technet.microsoft.com/en-us/library/cc770976%28v=ws.
>> 11%29.aspx
>> >>>>> - Use the included patch (a bit dirty, as it would be better to
>> fetch
>> >>>>> results according to the max page size, but works for me) :
>> >>>>>    - it enable the possibility to get more than 1000 results for a
>> ldap
>> >>>>> request for the guacamole-client. You will have to add
>> ldap-maxresults: 2000
>> >>>>> (or the value you need) in your guacamole.properties file.
>> >>>>>
>> >>>>> Have fun.
>> >>>>> Hervé
>> >>>>
>> >>>>
>> >>>
>> >>
>> >
>>
>
>

Re: LDAPConnection a size limit of 1000 ?

[Peter Burdine <pb...@gmail.com>]

I thought that was the case.  That just means worst case, I have to create
the user in the DB manually (with the correct matching user name), then
assign the connections until 0.9.10 comes out and the limit is increased.

Thanks for the clarification!

On Tue, Sep 13, 2016 at 12:18 AM, Mike Jumper <mi...@guac-dev.org>
wrote:

> The issue should only affect the ability to see the LDAP users in the
> admin pages. That's the only place that a query retrieving all users
> is attempted.
>
> The authentication process involves either (1) binding using a DN
> derived directly from the username provided or (2) binding using a
> dedicated search DN for the sake of querying the DN of the user having
> the username provided, and then binding as THAT user. At most,
> authentication will involve retrieving a single entry; nothing near
> the default limit of 1000 entries.
>
> - Mike
>
>
> On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine <pb...@gmail.com> wrote:
> > Sorry to bring this up again.  I am looking to use this to setup a system
> > that has just over 1000 users.  I am planning on using LDAP for auth, but
> > MySQL for connectivity data.  Does this issue affect the ability for some
> > users to login, or does it just affect the ability to see all of the LDAP
> > users in the admin pages?  I don't see this info in the Jira ticket or PR
> > discussion.
> >
> > Thanks,
> > Peter
> >
> > On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner
> > <ja...@guac-dev.org> wrote:
> >>
> >> Hey Herve,
> >>
> >> I see that you created the pull request and associated ticket. Great!
> >> Let's move the discussion over to Github at this point.
> >>
> >> James
> >>
> >>
> >>
> >> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
> >> wrote:
> >>>
> >>> Hi James,
> >>> did my homework (though this was my first time with git :p ).
> >>> The code in itself is not dirty (I hope ;), I just meant that it would
> >>> better to get the results from ldap as mentionned by RFC 2696. But IMHO
> >>> nowadays we can get more than 1000 results using a search in a ldap
> >>> directory...
> >>>
> >>> Hervé
> >>>
> >>>
> >>>
> >>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner
> >>> <ja...@guac-dev.org> wrote:
> >>>>
> >>>> Greetings Herve,
> >>>>
> >>>> In order to accept code changes into the project, we'll need a pull
> >>>> request on GitHub, and a corresponding JIRA issue in the Apache JIRA.
> See
> >>>> our contribution guidelines for more information.
> >>>>
> >>>> As a side note, we're always happy to accept code contributions from
> the
> >>>> community, but we do try to make sure that the contributions are
> always up
> >>>> to our code quality standards. If you feel that your patch is a bit
> dirty,
> >>>> it may have to be cleaned up a bit before we're ready to accept it
> upstream.
> >>>>
> >>>> James
> >>>>
> >>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <he...@gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> Hi,
> >>>>> If your active directory contains more than 1000 users in the search
> >>>>> OU, you'll need to :
> >>>>>  - Configure your active directory to extend the MaxPageSize limit
> >>>>> (default 1000)
> >>>>> https://technet.microsoft.com/en-us/library/cc770976%28v=ws.
> 11%29.aspx
> >>>>> - Use the included patch (a bit dirty, as it would be better to fetch
> >>>>> results according to the max page size, but works for me) :
> >>>>>    - it enable the possibility to get more than 1000 results for a
> ldap
> >>>>> request for the guacamole-client. You will have to add
> ldap-maxresults: 2000
> >>>>> (or the value you need) in your guacamole.properties file.
> >>>>>
> >>>>> Have fun.
> >>>>> Hervé
> >>>>
> >>>>
> >>>
> >>
> >
>

Re: LDAPConnection a size limit of 1000 ?

[Mike Jumper <mi...@guac-dev.org>]

The issue should only affect the ability to see the LDAP users in the
admin pages. That's the only place that a query retrieving all users
is attempted.

The authentication process involves either (1) binding using a DN
derived directly from the username provided or (2) binding using a
dedicated search DN for the sake of querying the DN of the user having
the username provided, and then binding as THAT user. At most,
authentication will involve retrieving a single entry; nothing near
the default limit of 1000 entries.

- Mike


On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine <pb...@gmail.com> wrote:
> Sorry to bring this up again.  I am looking to use this to setup a system
> that has just over 1000 users.  I am planning on using LDAP for auth, but
> MySQL for connectivity data.  Does this issue affect the ability for some
> users to login, or does it just affect the ability to see all of the LDAP
> users in the admin pages?  I don't see this info in the Jira ticket or PR
> discussion.
>
> Thanks,
> Peter
>
> On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner
> <ja...@guac-dev.org> wrote:
>>
>> Hey Herve,
>>
>> I see that you created the pull request and associated ticket. Great!
>> Let's move the discussion over to Github at this point.
>>
>> James
>>
>>
>>
>> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <he...@gmail.com>
>> wrote:
>>>
>>> Hi James,
>>> did my homework (though this was my first time with git :p ).
>>> The code in itself is not dirty (I hope ;), I just meant that it would
>>> better to get the results from ldap as mentionned by RFC 2696. But IMHO
>>> nowadays we can get more than 1000 results using a search in a ldap
>>> directory...
>>>
>>> Hervé
>>>
>>>
>>>
>>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner
>>> <ja...@guac-dev.org> wrote:
>>>>
>>>> Greetings Herve,
>>>>
>>>> In order to accept code changes into the project, we'll need a pull
>>>> request on GitHub, and a corresponding JIRA issue in the Apache JIRA. See
>>>> our contribution guidelines for more information.
>>>>
>>>> As a side note, we're always happy to accept code contributions from the
>>>> community, but we do try to make sure that the contributions are always up
>>>> to our code quality standards. If you feel that your patch is a bit dirty,
>>>> it may have to be cleaned up a bit before we're ready to accept it upstream.
>>>>
>>>> James
>>>>
>>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <he...@gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>> If your active directory contains more than 1000 users in the search
>>>>> OU, you'll need to :
>>>>>  - Configure your active directory to extend the MaxPageSize limit
>>>>> (default 1000)
>>>>> https://technet.microsoft.com/en-us/library/cc770976%28v=ws.11%29.aspx
>>>>> - Use the included patch (a bit dirty, as it would be better to fetch
>>>>> results according to the max page size, but works for me) :
>>>>>    - it enable the possibility to get more than 1000 results for a ldap
>>>>> request for the guacamole-client. You will have to add ldap-maxresults: 2000
>>>>> (or the value you need) in your guacamole.properties file.
>>>>>
>>>>> Have fun.
>>>>> Hervé
>>>>
>>>>
>>>
>>
>