Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP search failed: Result Code 4 "Size Limit Exceeded" #4162

Closed
eirslett opened this issue Mar 20, 2018 · 7 comments
Closed

LDAP search failed: Result Code 4 "Size Limit Exceeded" #4162

eirslett opened this issue Mar 20, 2018 · 7 comments

Comments

@eirslett
Copy link

Feature Request:
Setting size limit for LDAP queries

Environment:
Linux, Vault v0.9.5

Vault Config File:

vault write auth/ldap/config \
  url="ldaps://ldap.example.com:636" \
  userdn="OU=Users,OU=Org,OU=BusinessUnits,DC=example,DC=com" \
  groupdn="OU=AccountGroups,OU=Groups,OU=Org,OU=BusinessUnits,DC=example,DC=com" \
  groupfilter="(&(objectClass=group))" \
  groupattr="memberOf" \
  upndomain="example.com" \
  insecure_tls=false \
  starttls=false

vault write auth/ldap/groups/developers policies=dev

Startup Log Output:

Expected Behavior:
vault login -method=ldap username=<user> with password, should be able to login

Actual Behavior:
Error message: Result Code 4 "Size Limit Exceeded" from the LDAP server.

Important Factoids:
The LDAP environment has very many entries.

Is it possible to set a parameter to increase the limit of groups to return?
@jefferai
Copy link
Member

What parameter would that be? Is it something standardized across ldap servers?

@eirslett
Copy link
Author

At least Active Directory supports it: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc755809(v=ws.10)

@jefferai
Copy link
Member

That's a very long article, what parameter are you referring to?

@eirslett
Copy link
Author

You're right, I'm sorry to refer to such a long article. I tried to track it down in the go code instead. I suspect it's called SizeLimit here:

https://github.com/hashicorp/vault/blob/master/vendor/github.com/go-ldap/ldap/search.go#L241

In typical AD/LDAP setups the default is set server-side at 1000, while it can be overridden per query. (That is my understanding)

jefferai added a commit that referenced this issue Mar 20, 2018
@jefferai
We don't need to limit the size of ldap queries, so set a high limit
dacc84b 
Fixes #4162
@jefferai jefferai mentioned this issue Mar 20, 2018
Merged
jefferai added a commit that referenced this issue Mar 20, 2018
@jefferai
We don't need to limit the size of ldap queries, so set a high limit (#…
d5129aa 
…4169)

Fixes #4162
@aryak007
Copy link

Even after I set SizeLimit parameter to math.MaxInt64 or math.MaxInt32 or to any large value, it doesn't seem to work. I still get Code 4 "Size Limit Exceeded". What am I missing?

@aryak007 aryak007 mentioned this issue Mar 23, 2019
Closed
@aryak007
Copy link

Even after I set SizeLimit parameter to math.MaxInt64 or math.MaxInt32 or to any large value, it doesn't seem to work. I still get Code 4 "Size Limit Exceeded". What am I missing?

It was a pagination problem and it's working fine now.

@markelog markelog mentioned this issue Jul 3, 2019
Merged
markelog added a commit to grafana/grafana that referenced this issue Jul 3, 2019
@markelog
LDAP: Divide the requests
ca9a7d0 
Active Directory does indeed have a limitation with 1000 results
per search (default of course).

However, that limitation can be workaround with the pagination search feature,
meaning `pagination` number is how many times LDAP compatible server will be
requested by the client with specified amount of users (like 1000). That feature
already embeded with LDAP compatible client (including our `go-ldap`).

But slapd server has by default stricter settings. First, limitation is not 1000
but 500, second, pagination workaround presumably (information about it a bit
scarce and I still not sure on some of the details from my own testing)
cannot be workaround with pagination feature.

See
https://www.openldap.org/doc/admin24/limits.html
https://serverfault.com/questions/328671/paging-using-ldapsearch
hashicorp/vault#4162 - not sure why they were hitting the limit in
the first place, since `go-ldap` doesn't have one by default.

But, given all that, for me `ldapsearch` command with same request
as with `go-ldap` still returns more then 500 results, it can even return
as much as 10500 items (probably more).

So either there is some differences with implementation of the LDAP search
between `go-ldap` module and `ldapsearch` or I am missing a step :/.

In the wild (see serverfault link), apparently, people still hitting that
limitation even with `ldapsearch`, so it still seems to be an issue.

But, nevertheless, I'm still confused by this incoherence.

To workaround it, I divide the request by no more then
500 items per search
markelog added a commit to grafana/grafana that referenced this issue Jul 3, 2019
@markelog
LDAP: Divide the requests (#17885)
444c4d5 
* LDAP: Divide the requests

Active Directory does indeed have a limitation with 1000 results
per search (default of course).

However, that limitation can be workaround with the pagination search feature,
meaning `pagination` number is how many times LDAP compatible server will be
requested by the client with specified amount of users (like 1000). That feature
already embeded with LDAP compatible client (including our `go-ldap`).

But slapd server has by default stricter settings. First, limitation is not 1000
but 500, second, pagination workaround presumably (information about it a bit
scarce and I still not sure on some of the details from my own testing)
cannot be workaround with pagination feature.

See
https://www.openldap.org/doc/admin24/limits.html
https://serverfault.com/questions/328671/paging-using-ldapsearch
hashicorp/vault#4162 - not sure why they were hitting the limit in
the first place, since `go-ldap` doesn't have one by default.

But, given all that, for me `ldapsearch` command with same request
as with `go-ldap` still returns more then 500 results, it can even return
as much as 10500 items (probably more).

So either there is some differences with implementation of the LDAP search
between `go-ldap` module and `ldapsearch` or I am missing a step :/.

In the wild (see serverfault link), apparently, people still hitting that
limitation even with `ldapsearch`, so it still seems to be an issue.

But, nevertheless, I'm still confused by this incoherence.

To workaround it, I divide the request by no more then
500 items per search
@csquire
Copy link

csquire commented Oct 20, 2019
edited
Loading

@jefferai This is still a problem in 1.2.3. Vault needs to search with pagination and set the page size to a high value as well.

This search appears to need updated: https://github.com/hashicorp/vault/blob/master/sdk/helper/ldaputil/client.go#L214-L222

Should use something like this:

	result, err := conn.SearchWithPaging(&ldap.SearchRequest{
		BaseDN: cfg.GroupDN,
		Scope:  ldap.ScopeWholeSubtree,
		Filter: renderedQuery.String(),
		Attributes: []string{
			cfg.GroupAttr,
		},
		SizeLimit: math.MaxInt32,
	}, math.MaxInt32)

@csquire csquire mentioned this issue Oct 20, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jefferai @csquire @eirslett @aryak007