[RTFACT-18520] Improve LDAP paging support usage when server doesn't support it Created: 14/Feb/19  Updated: 15/Jan/20

Status: Open
Project: Artifactory Binary Repository
Component/s: Configuration, LDAP
Affects Version/s: 6.7.0, 6.8.0, 6.7.1, 6.7.2, 6.8.1, 6.8.2
Fix Version/s: None

Type: Improvement Priority: Minor
Reporter: Alix Lourme Assignee: Unassigned
Resolution: Unresolved Votes: 4
Labels: LDAP, ldap, ldap_groups

Issue Links:
Relationship
relates to RTFACT-14945 Allow searching for more than 1000 LD... Resolved
Regression:
Yes

 Description   

Upgrading to Artifactory 6.7.3 (from 6.4.x), LDAP groups integration fails with:

[ERROR] (o.a.a.l.p.LdapGroupProviderImpl:178) - An error occurred while retrieving LDAP groups with strategy STATIC, {}
org.springframework.ldap.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; remaining name 'ou=somegroups,o=company'
    at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:201)
    ...
Caused by: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3214)
    ...
    at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
    at org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:252)
    at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:292)

The root cause seems that LDAP server doesn't support PagedResultControl (detail : -spring-ldap#484).

This problem is a regression since 6.6.5 (tested, ok), introduced by RTFACT-14945 (Allow searching for more than 1000 LDAP Groups).

I understand the previous feature, but a functional LDAP groups integration is more important than nothing when search having more than 1000 groups .

Perhaps a checkbox feature "Use LDAP page result" with tooltip/description "Required for search with more than 1000 groups. Requires that LDAP server supports PagedResultControl feature" could be a solution (Updating LDAP server in company could be not easy).
If yes this option should be implemented in YAML Configuration File support.

 



 Comments   
Comment by Alex Goodchild [ 19/Feb/19 ]

I have this issue with 6.8.0

2019-02-19 18:41:39,109 [http-nio-8081-exec-8] [ERROR] (o.a.a.l.p.LdapGroupProviderImpl:115) - [LDAP: error code 12 - Unavailable Critical Extension]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 12 - Unavailable Critical Extension]; remaining name ''

The existing LDAP config has stopped working. 

Comment by Scott Mosher [ 19/Feb/19 ]

adding the artifactory.ldap.paging.support=false property within your artifactory.system.properties file should workaround this behavior in 6.7.X and 6.8.X

Comment by Alix Lourme [ 20/Feb/19 ]

@Scott Mosher: Thank you very much, it works like a charm.

So I let open issue but changing context (minor improvement) ; It would be nice if Artifactory can "auto detect" paging support, and/or if configuration could be more user-friendly (UI and via YAML).

Comment by Chris Zardis [ 15/Apr/19 ]

Anyone who updates to an affected version without knowing of this change and that their LDAP server doesn't support pagination will get very confused by this. It's not helped by the fact that different LDAP servers seem to handle this in different ways, e.g. some LDAP servers respond to this scenario with "insufficient permission".

Generated at Tue Feb 18 08:05:01 UTC 2020 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.