Page MenuHomePhabricator
Create Task
Maniphest T122595

Restore ldaplist -l passwd
Closed, InvalidPublic
Actions

Description

The new openldap servers have tighter limits on unindexed searches. That results in:

$ ldaplist -l passwd
The search returned an error.

If there's a compelling reason to keep those limits low then I can live with this, but there are a fair number of useful workflows that begin with 'list all users, grep for X' which are no somewhat uglier.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
Bump the size limit for labs openldap server to 4096operations/puppetproduction+1 -0
WIP: ldap: Make ldaplist use paging for queriesoperations/puppetproduction+23 -8
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 InvalidNoneT122595 Restore ldaplist -l passwd
Restricted Task
Restricted Task

Event Timeline

Andrew created this task.Dec 29 2015, 7:21 PM
Andrew assigned this task to MoritzMuehlenhoff.
Andrew raised the priority of this task from to Needs Triage.
Andrew updated the task description. (Show Details)
Andrew added projects: Cloud-Services, LDAP.
Andrew subscribed.
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald TranscriptDec 29 2015, 7:21 PM
Andrew added a subtask: Restricted Task.Dec 29 2015, 7:47 PM
Krenair subscribed.Dec 29 2015, 8:22 PM
Andrew closed subtask Restricted Task as Resolved.Dec 29 2015, 9:30 PM
chasemp reopened subtask Restricted Task as Open.Dec 29 2015, 11:38 PM
MoritzMuehlenhoff added a comment.Jan 4 2016, 11:07 PM

I have a patch for that which is working fine, but there's been an API change in python-ldap 2.3 (precise) and 2.4 (trusty, jessie). Do we also need this in precise?`Then I would need to implement some alternate fallback in the old API.

Andrew added a comment.Jan 5 2016, 7:35 PM

I don't care if it's broken in precise. Can it detect and fail gracefully?

MoritzMuehlenhoff added a comment.Jan 5 2016, 7:44 PM

Ok, I'll simply not use the server control for paged searches when using python-ldap < 2.4, then.

Andrew closed subtask Restricted Task as Declined.Jan 22 2016, 11:29 PM
chasemp triaged this task as Low priority.May 31 2016, 3:07 PM
chasemp subscribed.
In T122595#1916607, @MoritzMuehlenhoff wrote:

Ok, I'll simply not use the server control for paged searches when using python-ldap < 2.4, then.

can be resolved?

scfc subscribed.May 31 2016, 6:00 PM

I am interested in @MoritzMuehlenhoff's patch.

MoritzMuehlenhoff added a comment.Jun 1 2016, 5:42 PM

My old patch from https://gerrit.wikimedia.org/r/#/c/262745/ was wrong, it still needs more work to actually request the followup pages,

scfc mentioned this in T138102: Some Tools users do not show up in create-dbusers query.Jun 17 2016, 7:07 PM
gerritbot subscribed.Jun 20 2016, 12:42 AM

Change 295177 had a related patch set uploaded (by Tim Landscheidt):
WIP: ldap: Make ldaplist use paging for queries

https://gerrit.wikimedia.org/r/295177

gerritbot added a project: Patch-For-Review.Jun 20 2016, 12:42 AM
scfc mentioned this in rOPUPb74dbe58d40e: WIP: ldap: Make ldaplist use paging for queries.Jun 20 2016, 12:45 AM
scfc added a comment.Jun 20 2016, 12:48 AM

My WIP patch works in principle, and I'll add the Precise compatibility, but:

It will fail for ldaplist passwd because there are getent passwd | wc -l = 3525 entries for users, but size_limit (I assume) is set to the default 2048, so it can never retrieve all users.

Can size_limit be increased to 4096 (or more)?

gerritbot added a comment.Jun 20 2016, 8:56 AM

Change 295198 had a related patch set uploaded (by Muehlenhoff):
Bump the size limit for labs openldap server to 4096

https://gerrit.wikimedia.org/r/295198

Muehlenhoff mentioned this in rOPUP59c398839804: Bump the size limit for labs openldap server to 4096.Jun 20 2016, 9:02 AM
MoritzMuehlenhoff added a comment.Jun 20 2016, 9:08 AM

I've created https://gerrit.wikimedia.org/r/#/c/295198/ to raise the size limit. The reason my patch and our patch are not effective is because OpenLDAP handles paged search requests differently from Active Directory (for which all of those docs are usually written since AD applies a fairly tiny size limit by default (1000): OpenLDAP applies the size limit to the sum of all paged requests, while AD applies them per page. So the only real fix is to raise the limit.

gerritbot added a comment.Jun 20 2016, 12:58 PM

Change 295177 abandoned by Tim Landscheidt:
WIP: ldap: Make ldaplist use paging for queries

Reason:
Cf. I198d39.

https://gerrit.wikimedia.org/r/295177

gerritbot added a comment.Jun 21 2016, 8:32 AM

Change 295198 abandoned by Muehlenhoff:
Bump the size limit for labs openldap server to 4096

https://gerrit.wikimedia.org/r/295198

hashar subscribed.Sep 12 2016, 12:14 PM

Note that T114063 is about dropping ldapsupportlib.py and thus ldaplist.

MoritzMuehlenhoff removed MoritzMuehlenhoff as the assignee of this task.Nov 11 2016, 12:50 PM
MoritzMuehlenhoff set Security to None.
MoritzMuehlenhoff subscribed.
bd808 closed this task as Invalid.Jun 1 2020, 4:51 AM
bd808 subscribed.

Closing as invalid which probably isn't technically correct, but paged searches certainly work.

Maintenance_bot removed a project: Patch-For-Review.Jun 1 2020, 5:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits