[RTFACT-18520] Improve LDAP paging support usage when server doesn't support it Created: 14/Feb/19 Updated: 15/Jan/20
|Project:||Artifactory Binary Repository|
|Affects Version/s:||6.7.0, 6.8.0, 6.7.1, 6.7.2, 6.8.1, 6.8.2|
|Labels:||LDAP, ldap, ldap_groups|
Upgrading to Artifactory 6.7.3 (from 6.4.x), LDAP groups integration fails with:
The root cause seems that LDAP server doesn't support PagedResultControl (detail : -spring-ldap#484).
This problem is a regression since 6.6.5 (tested, ok), introduced by
I understand the previous feature, but a functional LDAP groups integration is more important than nothing when search having more than 1000 groups .
Perhaps a checkbox feature "Use LDAP page result" with tooltip/description "Required for search with more than 1000 groups. Requires that LDAP server supports PagedResultControl feature" could be a solution (Updating LDAP server in company could be not easy).
|Comment by Alex Goodchild [ 19/Feb/19 ]|
I have this issue with 6.8.0
2019-02-19 18:41:39,109 [http-nio-8081-exec-8] [ERROR] (o.a.a.l.p.LdapGroupProviderImpl:115) - [LDAP: error code 12 - Unavailable Critical Extension]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; remaining name ''
The existing LDAP config has stopped working.
|Comment by Scott Mosher [ 19/Feb/19 ]|
adding the artifactory.ldap.paging.support=false property within your artifactory.system.properties file should workaround this behavior in 6.7.X and 6.8.X
|Comment by Alix Lourme [ 20/Feb/19 ]|
@Scott Mosher: Thank you very much, it works like a charm.
So I let open issue but changing context (minor improvement) ; It would be nice if Artifactory can "auto detect" paging support, and/or if configuration could be more user-friendly (UI and via YAML).
|Comment by Chris Zardis [ 15/Apr/19 ]|
Anyone who updates to an affected version without knowing of this change and that their LDAP server doesn't support pagination will get very confused by this. It's not helped by the fact that different LDAP servers seem to handle this in different ways, e.g. some LDAP servers respond to this scenario with "insufficient permission".