[jira] [Updated] (GUACAMOLE-1130) Ignore non-relevant attributes for objects returned by LDAP Queries

Fri, 10 Jul 2020 16:50:33 -0700 


     [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Edgardo Rodriguez updated GUACAMOLE-1130:
-----------------------------------------
    Description: 
I will briefly try to summarize my motivation on this, since guacamole got 
migrated to Apache Directory API ( GUACAMOLE-234 ) I began to see several 
messages like this on my logs.
 * Approximately 8 times per-login (I have approx 80 user-logins per day, so 
logs get quite big because of this).
 * This certainly has to do with my infrastructure (the attributed that is 
duplicated and the amount of logs), so pattern might vary and mostly being 
noticed on Active-Directory environments. Others already mentioned this and 
it`s shown in issue mentioned above. Other examples from a quick-search: 
[example1|http://mail-archives.apache.org/mod_mbox/guacamole-dev/201906.mbox/%3c156081210953.28315.1595760006523730577.git...@gitbox.apache.org%3E]
 
[example2|https://www.mail-archive.com/[email protected]&q=subject:%22%5C%5BGitHub%5C%5D+%5C%5Bguacamole%5C-client%5C%5D+mike%5C-jumper+commented+on+issue+%23345%5C%3A+GUACAMOLE%5C-234%5C%3A+Migrate+to+Apache+Directory+API+for+LDAP+Extension%22&o=newest&f=1]
 * Logs are like these:

{code:java}
19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
attribute (msDS-RevealedDSAs)
19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
attribute (msDS-RevealedDSAs)
19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
attribute (msDS-RevealedDSAs)
19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
attribute (msDS-RevealedDSAs){code}
The key for me was, why was guacamole considering in any way attributes that 
are completely irrelevant like *msDS-RevealedDSAs*?

 

I made a few tweaks in the code to filter returned data from ldap using 
*SearchRequest* 
[addAttribute|https://docs.oracle.com/cd/E49437_01/apirefs.111220/e38583/oracle/oud/requests/SearchRequest.html#addAttribute_java_lang_String____]
 and taking advantage of already "knowing" which attributes are really relevant 
(and looking forward to retrieve). In this way for example:
Instead of (wasting memory?) retrieving all the attributes an object might hold 
we tell SearchRequest to, in case of a group, get the attribute defined in 
configuration that hold group name (*ldap-group-name-attribute*) and the 
attribute defined in configuration that tells which attributes hold group 
members(*ldap-member-attribute-type*). The same applies for user objects.

In case of LDAP being used for connection storage (guac* attributes) the 
original "way" should be in place for retrieving anything as I can not 
replicate such scenario. Perhaps I am wrong, but I really need someone to help 
me out in this matter.



As for "normal" LDAP use, the pull request that will be submitted was tested, 
also *ldap-user-attributes* is being used so it's working OK (e.g. not being 
filtered out).

 

  was:Description WIP


> Ignore non-relevant attributes for objects returned by LDAP Queries
> -------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1130
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1130
>             Project: Guacamole
>          Issue Type: Improvement
>          Components: guacamole-auth-ldap
>            Reporter: Edgardo Rodriguez
>            Priority: Minor
>
> I will briefly try to summarize my motivation on this, since guacamole got 
> migrated to Apache Directory API ( GUACAMOLE-234 ) I began to see several 
> messages like this on my logs.
>  * Approximately 8 times per-login (I have approx 80 user-logins per day, so 
> logs get quite big because of this).
>  * This certainly has to do with my infrastructure (the attributed that is 
> duplicated and the amount of logs), so pattern might vary and mostly being 
> noticed on Active-Directory environments. Others already mentioned this and 
> it`s shown in issue mentioned above. Other examples from a quick-search: 
> [example1|http://mail-archives.apache.org/mod_mbox/guacamole-dev/201906.mbox/%3c156081210953.28315.1595760006523730577.git...@gitbox.apache.org%3E]
>  
> [example2|https://www.mail-archive.com/[email protected]&q=subject:%22%5C%5BGitHub%5C%5D+%5C%5Bguacamole%5C-client%5C%5D+mike%5C-jumper+commented+on+issue+%23345%5C%3A+GUACAMOLE%5C-234%5C%3A+Migrate+to+Apache+Directory+API+for+LDAP+Extension%22&o=newest&f=1]
>  * Logs are like these:
> {code:java}
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute - 
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain 
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the 
> attribute (msDS-RevealedDSAs){code}
> The key for me was, why was guacamole considering in any way attributes that 
> are completely irrelevant like *msDS-RevealedDSAs*?
>  
> I made a few tweaks in the code to filter returned data from ldap using 
> *SearchRequest* 
> [addAttribute|https://docs.oracle.com/cd/E49437_01/apirefs.111220/e38583/oracle/oud/requests/SearchRequest.html#addAttribute_java_lang_String____]
>  and taking advantage of already "knowing" which attributes are really 
> relevant (and looking forward to retrieve). In this way for example:
> Instead of (wasting memory?) retrieving all the attributes an object might 
> hold we tell SearchRequest to, in case of a group, get the attribute defined 
> in configuration that hold group name (*ldap-group-name-attribute*) and the 
> attribute defined in configuration that tells which attributes hold group 
> members(*ldap-member-attribute-type*). The same applies for user objects.
> In case of LDAP being used for connection storage (guac* attributes) the 
> original "way" should be in place for retrieving anything as I can not 
> replicate such scenario. Perhaps I am wrong, but I really need someone to 
> help me out in this matter.
> As for "normal" LDAP use, the pull request that will be submitted was tested, 
> also *ldap-user-attributes* is being used so it's working OK (e.g. not being 
> filtered out).
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to