[jira] [Commented] (KNOX-644) Limit/page results of LDAP group membership search

Sun, 31 Jul 2016 08:17:48 -0700 

    [ 
https://issues.apache.org/jira/browse/KNOX-644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15401189#comment-15401189
 ] 

Kevin Risden commented on KNOX-644:
-----------------------------------

[~lmccay] - Thanks for the quick attention to this. 

{quote}
I'm not sure that we need to improve the ApacheDS DEMO LDAP server here but 
perhaps there is no other reasonable way to test for the handling of large 
results without doing so. We'll have to consider that carefully.
{quote}

This is definitely something that could be interesting. The paging of results 
doesn't seem to work with the ApacheDS demo ldap server. Also for KNOX-461 
there is no support for computed attributes currently in ApacheDS.

{quote}
* We need to add some unit tests for each feature/improvement
{quote}

Agree on the unit tests. The existing tests with expanded user.ldif actually 
caught the problem. Wasn't sure if it made sense to add another test class for 
the large number of groups.

{quote}
* Both patches seem to be adding the additional groups to user.ldif - if this 
is the same set and we don't need additional for paging then we should just 
have the paging one assume that the the other one was already applied
{quote}

Yes both patches are standalone right now. I'll post the paging patch as an 
addon to the KNOX-644 one.

> Limit/page results of LDAP group membership search 
> ---------------------------------------------------
>
>                 Key: KNOX-644
>                 URL: https://issues.apache.org/jira/browse/KNOX-644
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.6.0
>            Reporter: Kevin Minder
>            Priority: Critical
>             Fix For: 0.10.0
>
>         Attachments: KNOX-644.patch, ad_setup.ps1, create_groups_ldif.py, 
> paging.patch
>
>
> Some users are finding that they have >1000 groups that would be returned 
> given how Knox currently implements group lookup. ActiveDirectory currently 
> limits search results to 1000 items and this causes failures that require 
> workarounds at the client side.  Ideally Knox's LDAP group search 
> implementation would either limit/filter the results or page the result set 
> that are unavoidably large.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to