search

UniStuttgart-VISUS / Visus.LdapAuthentication

LDAP authentication middleware for ASP.NET Core
MIT License
24 stars 8 forks source link

Make Paged search optional on LdapSearchService #12

Closed Maxhy closed 8 months ago

Maxhy commented 8 months ago

Affected library

Environment

Summary Paged search extension may not be available on the LDAP server which would make LdapSearchService useless.

What are you doing? Calling getUsers method on LdapSearchService with only the filter parameter.

What is the problem? Not having this extension is not a problem until you perform a search using LdapSearchService which is making an explicit call to the paged search implementation.

https://github.com/UniStuttgart-VISUS/Visus.LdapAuthentication/blob/f9d4a31ab81823a293e932085cd45a607097657d/Visus.LdapAuthentication/LdapSearchService.cs#L247

What behaviour did you expect? This feature should be optional, to use it if available/enabled Options side, then fall back to regular search otherwise.

crowbar27 commented 8 months ago

My understanding is that you get an empty result set due to an LdapException in https://github.com/UniStuttgart-VISUS/Visus.LdapAuthentication/blob/f9d4a31ab81823a293e932085cd45a607097657d/Visus.LdapAuthentication/PagingExtensions.cs#L188C30-L188C43 Is that correct?

Can you retrieve the ResultCode from this exception? I am considering two solutions atm, one being the paging not happen if LdapOptions.PageSize < 0 and the second is the implementation recovering from that either by checking the feature support or retrying.

crowbar27 commented 8 months ago

Problem affects DirectoryAuthentication as well.

Maxhy commented 8 months ago

Correct. The error code is 12, Unavailable Critical Extension. Check on LdapOptions.PageSize < 0 would be an acceptable way indeed.

crowbar27 commented 8 months ago

1.14.0 and 0.12.0 now allow for setting the page size to zero, which will disable paging. However, I am not sure what OpenLDAP will do if you have too many results. On AD, LdapAuthentication will silently truncate the results, whereas DirectoryAuthentication will fail (I could not find a way to prevent this failure, because the request itself will fail).