[
https://issues.apache.org/jira/browse/KNOX-644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15400965#comment-15400965
]
Kevin Risden edited comment on KNOX-644 at 7/31/16 5:52 AM:
------------------------------------------------------------
Attaching the paging patch. There are a few things that happen related to this
patch:
* Had to update to Apache DS 2.0.0-M16 for paging
** See KNOX-508 for details
* With AD could take a while if referrals is set to followed
** Hardcoded to ignore right now
** Should make this configurable like Ranger, Ambari, and others
* If there are more results, AD causes ldap search to throw
PartialResultsException
** Ignoring this since it doesn't seem to cause any problems
* The ApacheDS LDAP server doesn't allow more than 100 results returned even
with paging
* With AD, if there are more than 1000 results paging will allow a search
* Currently logging is the print statements
Probably makes sense to use memberOf instead of paging through groups - see
KNOX-461.
Would love some comments if this is a good approach or not. I can clean up the
logging if this makes sense.
was (Author: risdenk):
Attaching the paging patch. There are a few things that happen related to this
patch:
* With AD could take a while if referrals is set to followed
** Hardcoded to ignore right now
** Should make this configurable like Ranger, Ambari, and others
* If there are more results, AD causes ldap search to throw
PartialResultsException
** Ignoring this since it doesn't seem to cause any problems
* The ApacheDS LDAP server doesn't allow more than 100 results returned even
with paging
* With AD, if there are more than 1000 results paging will allow a search
* Currently logging is the print statements
Probably makes sense to use memberOf instead of paging through groups - see
KNOX-461.
Would love some comments if this is a good approach or not. I can clean up the
logging if this makes sense.
> Limit/page results of LDAP group membership search
> ---------------------------------------------------
>
> Key: KNOX-644
> URL: https://issues.apache.org/jira/browse/KNOX-644
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.6.0
> Reporter: Kevin Minder
> Priority: Critical
> Fix For: Future
>
> Attachments: KNOX-644.patch, ad_setup.ps1, create_groups_ldif.py,
> paging.patch
>
>
> Some users are finding that they have >1000 groups that would be returned
> given how Knox currently implements group lookup. ActiveDirectory currently
> limits search results to 1000 items and this causes failures that require
> workarounds at the client side. Ideally Knox's LDAP group search
> implementation would either limit/filter the results or page the result set
> that are unavoidably large.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
