Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LdapTemplate.lookupContext with IncrementalAttributesMapper #785

Open
fishbone1 opened this issue Jul 11, 2023 · 1 comment
Open

LdapTemplate.lookupContext with IncrementalAttributesMapper #785

fishbone1 opened this issue Jul 11, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: core

Comments

@fishbone1
Copy link

It seems that DirContextOperations returned by LdapTemplate.lookupContext() doesn't correctly support multi value attributes if the value count exceeds the LDAP fetch limit (1500 in our case).

Following code doesn't work as expected:

DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn);

boolean addIfDuplicateExists = false;
dirContextOperations.addAttributeValue("member", userDn, addIfDuplicateExists);

ldapTemplate.modifyAttributes(dirContextOperations);

This will cause AttributeInUseException although addIfDuplicateExists is false if there is a too large amount of users in the group. I assume it's because DirContextOperations didn't receive all values. Maybe it's also related to #561 and existing members won't be loaded at all since the attribute's name changes from "member" to "member;range=0-1499". I couldn't check that yet.

My suggestion would be to add a new LdapTemplate::lookupContext() variant with IncrementalAttributesMapper argument:

public DirContextOperations lookupContext(Name dn, IncrementalAttributesMapper mapper)

Example usage:

IncrementalAttributesMapper<DefaultIncrementalAttributesMapper>attributesMapper =
    new DefaultIncrementalAttributesMapper(new String[] { "member" });
DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn, attributesMapper);

But - most importantly - there should be a hint in the documentation, that lookupContext() doesn't support multi value attributes except if you can guarantee that there won't be more values than a single fetch returns.
@fishbone1
Copy link
Author

I also wonder if other methods like DirContextOperations::removeAttributeValue("member", memberDn) work. It looks as if the code checks whether the attribute value is available. This check has probably the same issue, so the answer will always be no and therfore nothing will be removed.

I find lots of code like that and don't know, what works safely at all. This is a huge problem! It would be great if at least there was a workaround. I wonder if you could replace originalAttrs of DirContextAdapter with a version that contains the missing members, for example.

@jzheaux jzheaux self-assigned this Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: core
Projects
Spring Security Team
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jzheaux @fishbone1