Github user necouchman commented on a diff in the pull request:
https://github.com/apache/incubator-guacamole-client/pull/202#discussion_r147561005
--- Diff:
extensions/guacamole-auth-ldap/src/main/java/org/apache/guacamole/auth/ldap/connection/ConnectionService.java
---
@@ -251,8 +270,23 @@ private String getConnectionSearchFilter(String userDN,
// The guacConfig group uses the seeAlso attribute to refer
// to these other groups
while (userRoleGroupResults.hasMore()) {
- LDAPEntry entry = userRoleGroupResults.next();
-
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
+ try {
+ LDAPEntry entry = userRoleGroupResults.next();
+
connectionSearchFilter.append("(seeAlso=").append(escapingService.escapeLDAPSearchFilter(entry.getDN())).append(")");
+ }
+
+ catch (LDAPReferralException e) {
+ if (confService.getFollowReferrals()) {
+ logger.error("Could not follow referral.",
e.getMessage());
+ logger.debug("Error encountered trying to follow
referral.", e);
+ throw new GuacamoleServerException("Could not
follow LDAP referral.", e);
--- End diff --
@mike-jumper Any further thoughts on this, or opinions on which way it
should go? I'm not sure one way or the other - I do tend toward not wanting to
break things if a single operation fails; however, I also think that if you're
explicitly enabling it and it fails, you want a very clear indication that
something is not working. I see both sides, so I'm good going either way -
it's easy enough to change down the road, and will get tweaked, anyway, when we
switch LDAP APIs.
---
