[
https://issues.apache.org/jira/browse/GUACAMOLE-1130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1130:
-------------------------------------
Fix Version/s: 1.4.0
> Ignore non-relevant attributes for objects returned by LDAP Queries
> -------------------------------------------------------------------
>
> Key: GUACAMOLE-1130
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1130
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-ldap
> Reporter: Edgardo Rodriguez
> Priority: Minor
> Fix For: 1.4.0
>
>
> I will briefly try to summarize my motivation on this, since guacamole got
> migrated to Apache Directory API ( GUACAMOLE-234 ) I began to see several
> messages like this on my logs.
> * Approximately 8 times per-login (I have approx 80 user-logins per day, so
> logs get quite big because of this).
> * This certainly has to do with my infrastructure (the attributed that is
> duplicated and the amount of logs), so pattern might vary and mostly being
> noticed on Active-Directory environments. Others already mentioned this and
> it`s shown in issue mentioned above. Other examples from a quick-search:
> [example1|http://mail-archives.apache.org/mod_mbox/guacamole-dev/201906.mbox/%3c156081210953.28315.1595760006523730577.git...@gitbox.apache.org%3E]
>
> [example2|https://www.mail-archive.com/[email protected]&q=subject:%22%5C%5BGitHub%5C%5D+%5C%5Bguacamole%5C-client%5C%5D+mike%5C-jumper+commented+on+issue+%23345%5C%3A+GUACAMOLE%5C-234%5C%3A+Migrate+to+Apache+Directory+API+for+LDAP+Extension%22&o=newest&f=1]
> * Logs are like these:
> {code:java}
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute -
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute -
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute -
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the
> attribute (msDS-RevealedDSAs)
> 19:28:51.564 [NioProcessor-7] WARN o.a.d.a.l.m.entry.DefaultAttribute -
> ERR_13207_VALUE_ALREADY_EXISTS The value 'CN=DC1,OU=Friday,OU=Domain
> Controllers,DC=super,DC=awesome,DC=domain,DC=com' already exists in the
> attribute (msDS-RevealedDSAs){code}
> The key for me was, why was guacamole considering in any way attributes that
> are completely irrelevant like *msDS-RevealedDSAs*?
>
> I made a few tweaks in the code to filter returned data from ldap using
> *SearchRequest*
> [addAttribute|https://docs.oracle.com/cd/E49437_01/apirefs.111220/e38583/oracle/oud/requests/SearchRequest.html#addAttribute_java_lang_String____]
> and taking advantage of already "knowing" which attributes are really
> relevant (and looking forward to retrieve). In this way for example:
> Instead of (wasting memory?) retrieving all the attributes an object might
> hold we tell SearchRequest to, in case of a group, get the attribute defined
> in configuration that hold group name (*ldap-group-name-attribute*) and the
> attribute defined in configuration that tells which attributes hold group
> members(*ldap-member-attribute-type*). The same applies for user objects.
> In case of LDAP being used for connection storage (guac* attributes) the
> original "way" should be in place for retrieving anything as I can not
> replicate such scenario. Perhaps I am wrong, but I really need someone to
> help me out in this matter.
> As for "normal" LDAP use, the pull request that will be submitted was tested,
> also *ldap-user-attributes* is being used so it's working OK (e.g. not being
> filtered out).
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
