search

cannatag / ldap3

a strictly RFC 4510 conforming LDAP V3 pure Python client. The same codebase works with Python 2. Python 3, PyPy and PyPy3
Other
873 stars 267 forks source link

paged_search error with REUSABLE client_strategy in Active Directory #1152

Open spirkaa opened 1 month ago

spirkaa commented 1 month ago

When using SYNC strategy, i can successfully run conn.extend.standard.paged_search(**search_params) for finding disabled and expired users in Active Directory that normally returns ~18000 results (18 pages, 1000/per page).

When i switch to REUSABLE strategy to reuse connections in my fastapi app, i get only 1000 results from the first page, and then this error raised:

ldap3.core.exceptions.LDAPUnavailableCriticalExtensionResult: LDAPUnavailableCriticalExtensionResult - 12 - unavailableCriticalExtension - None - 00000057: LdapErr: DSID-0C090B01, comment: Error processing control, data 0, v3839 - searchResDone - None

As far as I understand, this is due to the fact that a paged_cookie was received in one connection thread, and then there was an attempt to use it in another thread.

zorn96 commented 1 month ago

if I recall correctly, the docs actually recommend against using REUSABLE. it was added to help with LDAP server implementations, not clients, but it has a bunch of issues.

even if you were to avoid your current issue, you might run into another with AD. AD has a limit on the number of cookies that can be live for a single authenticated client at once, and so if you have multiple paged searches executing in parallel then the newer ones will invalidate the cookies of the older ones before they complete

spirkaa commented 1 month ago

Cannot find any mentions against using REUSABLE strategy in docs or issues.

For now i do not expect AD-related issues, and if they arise, it will be regardless of the strategy used.

Now I'm using the connection as stated in the docs:

from ldap3 import REUSABLE, Connection

url = "ldap://addc:389"
user = "svcuser"
password = "pAsSword"

conn = Connection(
    url,
    user,
    password,
    auto_bind=True,
    client_strategy=REUSABLE,
    pool_size=4,
    raise_exceptions=True,
)

search_params = {
    "search_base": "OU=employees,DC=example,DC=com",
    "search_filter": "(&(objectCategory=person)(objectClass=user)(|(userAccountControl:1.2.840.113556.1.4.803:=2)(&(!(accountExpires=0))(accountExpires<=133654332205528576))))",
    "attributes": ["sAMAccountName", "mail"],
    "paged_size": 1000,
    "paged_criticality": True,
}

entries = conn.extend.standard.paged_search(**search_params)
for entry in entries:
    print(entry)

Maybe it is possible to get a specific free connection from the pool in order to use it exclusively in a request?

santosshen commented 1 month ago 
from ldap3 import RESTARTABLE, Connection, set_config_parameter

set_config_parameter('RESTARTABLE_SLEEPTIME', 0.5)
set_config_parameter('RESPONSE_WAITING_TIMEOUT', 2)

url = "ldap://addc:389"
user = "svcuser"
password = "pAsSword"

conn = Connection(
    url,
    user,
    password,
    auto_bind=True,
    client_strategy=RESTARTABLE,
    receive_timeout=2
)

entries = conn.extend.standard.paged_search(
    search_base="OU=employees,DC=example,DC=com",
    search_filter="(&(objectCategory=person)(objectClass=user)(|(userAccountControl:1.2.840.113556.1.4.803:=2)(&(!(accountExpires=0))(accountExpires<=133654332205528576))))",
    attributes=["sAMAccountName", "mail"],
    paged_size=1000
)
for entry in entries:
    print(entry)