spring-ldap icon indicating copy to clipboard operation
spring-ldap copied to clipboard

Published 20 hours ago verified publisher icon spring-projects

LdapTemplate.lookupContext with IncrementalAttributesMapper

Open fishbone1 opened this issue 2 years ago • 1 comments
trafficstars

It seems that DirContextOperations returned by LdapTemplate.lookupContext() doesn't correctly support multi value attributes if the value count exceeds the LDAP fetch limit (1500 in our case).

Following code doesn't work as expected:

DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn);

boolean addIfDuplicateExists = false;
dirContextOperations.addAttributeValue("member", userDn, addIfDuplicateExists);

ldapTemplate.modifyAttributes(dirContextOperations);

This will cause AttributeInUseException although addIfDuplicateExists is false if there is a too large amount of users in the group. I assume it's because DirContextOperations didn't receive all values. Maybe it's also related to #561 and existing members won't be loaded at all since the attribute's name changes from "member" to "member;range=0-1499". I couldn't check that yet.

My suggestion would be to add a new LdapTemplate::lookupContext() variant with IncrementalAttributesMapper argument:

public DirContextOperations lookupContext(Name dn, IncrementalAttributesMapper mapper)

Example usage:

IncrementalAttributesMapper<DefaultIncrementalAttributesMapper>attributesMapper =
    new DefaultIncrementalAttributesMapper(new String[] { "member" });
DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn, attributesMapper);

But - most importantly - there should be a hint in the documentation, that lookupContext() doesn't support multi value attributes except if you can guarantee that there won't be more values than a single fetch returns.

fishbone1 avatar Jul 11 '23 14:07 fishbone1

I also wonder if other methods like DirContextOperations::removeAttributeValue("member", memberDn) work. It looks as if the code checks whether the attribute value is available. This check has probably the same issue, so the answer will always be no and therfore nothing will be removed.

I find lots of code like that and don't know, what works safely at all. This is a huge problem! It would be great if at least there was a workaround. I wonder if you could replace originalAttrs of DirContextAdapter with a version that contains the missing members, for example.

fishbone1 avatar Jul 25 '23 09:07 fishbone1