[
https://issues.apache.org/jira/browse/GUACAMOLE-299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250372#comment-16250372
]
Jonathan Hankins commented on GUACAMOLE-299:
--------------------------------------------
Related to GUACAMOLE-263 (and possibly complicated by GUACAMOLE-234, see
below). There is a difference between the setting that the
ldap-max-search-results parameter affects and LDAP paged results. The mailing
list thread the OP linked has some discussion.
To be clear, it is currently not possible to retrieve more than 1000 results
from a query against a MS AD LDAP server from with Guacamole's LDAP extension,
regardless of the setting of ldap-max-search-results. There is an option to
change the 1000-per-page limit on the AD LDAP server, but it is not recommended
/ commonly done in production, and AD LDAP still returns paged results, you are
just changing the page size. See:
http://jeftek.com/219/avoid-changing-the-maxpagesize-ldap-query-policy/
Microsoft AD LDAP returns up to 1000 (default) records. If your query returns
more than 1000 records, you have to enable the paged results extension in your
client to retrieve all of the records. From the command line with openldap's
ldapsearch, this is accomplished with, e.g., "-E pr=9999/noprompt".
This can be supported in JLDAP, but the client has to be written to
purposefully make use of it (i.e, there is logic that has to happen to return
and accumulate paged results).
Also, it looks like there is a migration in progress from JLDAP to Apache
Directory's LDAP API in GUACAMOLE-234. Work to support paged results would have
to happen in the current code using JLDAP to make it work now, but also carried
over to whatever the equivalent is in Apache Directory's LDAP API as that work
is done.
Hope that is clear.
-Jonathan Hankins
For reference:
https://www.novell.com/documentation/developer/jldap/jldapenu/data/ab4nqsm.html
https://github.com/aptivate/openldap-jldap/blob/master/com/novell/ldap/controls/LDAPPagedResultsControl.java
https://directory.apache.org/api/gen-docs/latest/apidocs/org/apache/directory/api/ldap/model/message/controls/PagedResults.html
https://tools.ietf.org/html/rfc2696
> ldap paged results limited to 1000
> ----------------------------------
>
> Key: GUACAMOLE-299
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-299
> Project: Guacamole
> Issue Type: Bug
> Components: guacamole-auth-ldap
> Affects Versions: 0.9.12-incubating
> Reporter: Isaac Marco Blancas
> Attachments: Selección568.png
>
>
> The guacamole/#/settings/users just find the first 1000 ldap people. When an
> existing user is not located I can create a new user with his uid and he can
> authenticate with no problems but this message captured in logs.
> guacamole[16369]: 08:39:57.685 [http-nio-8080-exec-6] WARN
> o.a.g.auth.ldap.user.UserService - Could not query list of all users for
> attribute "uid": Error while querying users.
> By other hand if I edit the user I can't see the MySQL and LDAP tabs... he is
> not recognized as an LDAP user. See attachment.
> Same problem has been reported with AD in the forum:
> http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Guacamole-and-Active-Directory-Paged-Results-td684.html
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
