Bug 1303171 - LDAP group sync can return errors for very large result sets
LDAP group sync can return errors for very large result sets
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth (Show other bugs)
3.1.0
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Steve Kuznetsov
weiwei jiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-29 13:38 EST by Jordan Liggitt
Modified: 2016-10-30 18:54 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-12 12:27:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jordan Liggitt 2016-01-29 13:38:04 EST
Description of problem:

When a group or user query is very general, and a sync is run to select all groups matching the filter, the result set size can exceed what the LDAP server allows. In that case, running a group sync returns "LDAP Result Code 4 "Size Limit Exceeded"


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
In the sync config file, the result page size should be able to be specified for user and group queries.


Additional info:
Comment 1 Steve Kuznetsov 2016-02-03 10:17:14 EST
Until paging is supported for the LDAP queries, the best way to work around this issue is to use selective whitelists of groups to sync, or more specific filters, in order to reduce the number of LDAP entries being fetched by the queries.
Comment 2 Steve Kuznetsov 2016-02-15 14:11:07 EST
Work for this is happening: https://github.com/openshift/origin/pull/7309
Comment 4 weiwei jiang 2016-02-19 01:54:47 EST
Checked with devenv-rhel7_3467, the paging work well now for both groups and users.

For user:
1> with paging
56c6b922 conn=1025 fd=16 ACCEPT from IP=172.17.42.1:41375 (IP=0.0.0.0:389)
56c6b922 conn=1025 op=0 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b922 conn=1025 op=0 SRCH attr=mail testMemberOf
56c6b922 conn=1025 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b922 conn=1025 op=1 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b922 conn=1025 op=1 SRCH attr=mail testMemberOf
56c6b922 conn=1025 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b922 conn=1025 op=2 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b922 conn=1025 op=2 SRCH attr=mail testMemberOf
56c6b922 conn=1025 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b922 conn=1025 op=3 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b922 conn=1025 op=3 SRCH attr=mail testMemberOf
56c6b922 conn=1025 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b922 conn=1025 op=4 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b922 conn=1025 op=4 SRCH attr=mail testMemberOf
56c6b922 conn=1025 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b922 conn=1025 fd=16 closed (connection lost)

2> without paging:
56c6b946 conn=1026 fd=16 ACCEPT from IP=172.17.42.1:41385 (IP=0.0.0.0:389)
56c6b946 conn=1026 op=0 SRCH base="ou=people,ou=ad,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=inetOrgPerson)"
56c6b946 conn=1026 op=0 SRCH attr=mail testMemberOf
56c6b946 conn=1026 op=0 SEARCH RESULT tag=101 err=0 nentries=5 text=
56c6b946 conn=1026 fd=16 closed (connection lost)


For groups:
1> with paging:
56c6b775 conn=1013 fd=16 ACCEPT from IP=172.17.42.1:41132 (IP=0.0.0.0:389)
56c6b775 conn=1013 op=0 SRCH base="ou=groups,ou=rfc2307,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=groupOfNames)"
56c6b775 conn=1013 op=0 SRCH attr=cn dn member
56c6b775 conn=1013 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b775 conn=1013 op=1 SRCH base="ou=groups,ou=rfc2307,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=groupOfNames)"
56c6b775 conn=1013 op=1 SRCH attr=cn dn member
56c6b775 conn=1013 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b775 conn=1013 op=2 SRCH base="ou=groups,ou=rfc2307,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=groupOfNames)"
56c6b775 conn=1013 op=2 SRCH attr=cn dn member
56c6b775 conn=1013 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
56c6b775 conn=1014 fd=23 ACCEPT from IP=172.17.42.1:41134 (IP=0.0.0.0:389)
56c6b775 conn=1013 fd=16 closed (connection lost)

2> without paging:
56c6b80d conn=1019 fd=16 ACCEPT from IP=172.17.42.1:41223 (IP=0.0.0.0:389)
56c6b80d conn=1019 op=0 SRCH base="ou=groups,ou=rfc2307,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=groupOfNames)"
56c6b80d conn=1019 op=0 SRCH attr=cn dn member
56c6b80d conn=1019 op=0 SEARCH RESULT tag=101 err=0 nentries=3 text=
56c6b80d conn=1019 fd=16 closed (connection lost)
56c6b80d conn=1020 fd=16 ACCEPT from IP=172.17.42.1:41225 (IP=0.0.0.0:389)
Comment 5 weiwei jiang 2016-02-19 05:03:40 EST
Also check with OSE with openshift v3.1.1.903 , paging work well.
Comment 7 errata-xmlrpc 2016-05-12 12:27:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2016:1064

Note You need to log in before you can comment on or make changes to this bug.