From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6C278F636 for ; Fri, 21 Jul 2023 16:34:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 4F87430C90 for ; Fri, 21 Jul 2023 16:34:08 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 21 Jul 2023 16:34:06 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 72C6A426DC for ; Fri, 21 Jul 2023 16:34:06 +0200 (CEST) From: Stefan Sterz To: pbs-devel@lists.proxmox.com Date: Fri, 21 Jul 2023 16:34:03 +0200 Message-Id: <20230721143403.1288116-2-s.sterz@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230721143403.1288116-1-s.sterz@proxmox.com> References: <20230721143403.1288116-1-s.sterz@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.091 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [lib.rs, ietf.org] Subject: [pbs-devel] [PATCH proxmox 2/2] ldap: only search base of base_dn when checking connection X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Jul 2023 14:34:38 -0000 this should avoid most common size limitations. the search should also complete quicker as fewer results need to be computed. note that this way a configuration may be accepted, but the related sync job can fail due to and exceeded size limit warning for some ldap servers (such as 2.5.14+dfsg-0ubuntu0.22.04.2). Signed-off-by: Stefan Sterz --- spend way to much time figuring this out, anyway, wanted to add some notes here that i encountered while testing potential solutions: * when using an anonymous bind with slapd in its default configuration the default size limit will also be enforced against a paged search. this means that while a configuration may succeed with 5 users with an anonymous bind, it will fail with 500+ users. * if the client specifies a size limit for the search and the server finds more results than specified by the search limit it will return only the specified amount of results. however, the result code will still be 4 (sizeLimitExceeded) resulting in an error. the same happens if the server specifies a limit and the search exceeds it. it also uses the the result code 4 (sizeLimitExceeded) in that case. * if a streaming_search is finished before all results are retrieved, ldap3 will handle this as specified in the relevant rfc from what i can tell [1]. however, the result code will then be 88 for a user canceled request, which is treated as an `Err` Result in ldap3. [1]: https://datatracker.ietf.org/doc/html/rfc2696 proxmox-ldap/src/lib.rs | 34 +++++++++++++--------------------- 1 file changed, 13 insertions(+), 21 deletions(-) diff --git a/proxmox-ldap/src/lib.rs b/proxmox-ldap/src/lib.rs index c47870d..b3b5d65 100644 --- a/proxmox-ldap/src/lib.rs +++ b/proxmox-ldap/src/lib.rs @@ -177,30 +177,22 @@ impl Connection { .await? .success() .context("LDAP bind failed, bind_dn or password could be incorrect")?; + } - let (_, _) = ldap - .search( - &self.config.base_dn, - Scope::Subtree, - "(objectClass=*)", - vec!["*"], - ) - .await? - .success() - .context("Could not search LDAP realm, base_dn could be incorrect")?; + // only search base to make sure the base_dn exists while avoiding most common size limits + let (_, _) = ldap + .search( + &self.config.base_dn, + Scope::Base, + "(objectClass=*)", + vec!["*"], + ) + .await? + .success() + .context("Could not search LDAP realm, base_dn could be incorrect")?; + if self.config.bind_dn.is_some() { let _: Result<(), _> = ldap.unbind().await; // ignore errors, search succeeded already - } else { - let (_, _) = ldap - .search( - &self.config.base_dn, - Scope::Subtree, - "(objectClass=*)", - vec!["*"], - ) - .await? - .success() - .context("Could not search LDAP realm, base_dn could be incorrect")?; } Ok(()) -- 2.39.2