Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/202#discussion_r146660309
--- Diff:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
---
@@ -251,8 +270,23 @@ private String getConnectionSearchFilter(String userDN,
// The guacConfig group uses the seeAlso attribute to refer
// to these other groups
while (userRoleGroupResults.hasMore()) {
- LDAPEntry entry = userRoleGroupResults.next();
-
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
+ try {
+ LDAPEntry entry = userRoleGroupResults.next();
+
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
+ }
+
+ catch (LDAPReferralException e) {
+ if (confService.getFollowReferrals()) {
+ logger.error("Could not follow referral.",
e.getMessage());
+ logger.debug("Error encountered trying to follow
referral.", e);
+ throw new GuacamoleServerException("Could not
follow LDAP referral.", e);
--- End diff --
My thinking is that if you explicitly enable referral following, an error
following the referrals should cause an abort, and if you disable it, you can
log it and ignore it. I'm not opposed to a non-fatal logging, here, though, if
that makes more sense. I don't know off the top of my head what the generally
accepted behavior is for other implementations.
In the case of the issue with Active Directory, disabling referral
following completely allows you to query it via LDAP correctly - having it
disabled doesn't cut off expected results or anything like that.
---
