Open igorehan opened 2 years ago
Hi @igorehan I believe an optimization has to be done here. Being that said, I will investigate. Can I just have an idea of the number of objects in your ad?
In my case (according to the filter that was the result of sniffing), 18818 objects are returned. But absolutely everything gets here: user accounts, contacts, computer accounts, groups, containers, HealthMailbox accounts (from Exchange Server)...
I don't think there is anything to optimize here. It is only necessary that "ldap_search" contains the User Object Filter, and not the default one, which requests, roughly speaking, everything that is in AD. Again, why does Teampass need all the objects? It should only be interested in user accounts: (&(objectCategory=person)(objectClass=user))
https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
In my User Object Filter (members of the same group) should return only 10-15 objects - user accounts. And those who do not specify the User Object Filter should understand that what they require from the system, especially at a large scale, is doing something wrong, and a User Object Filter is needed.
For the time being, I get by with the fact that in the includes/libraries/LdapRecord/Ldap.php
file, on lines 235 and 236 (relevant for 885a31967239f1a6d56e1016b3052eac47ce170b) (ldap_search call), instead of $filter
I write my user object filter in quotes. Everything else works.
For the time being, I get by with the fact that in the
includes/libraries/LdapRecord/Ldap.php
file, on lines 235 and 236 (relevant for 885a31967239f1a6d56e1016b3052eac47ce170b) (ldap_search call), instead of$filter
I write my user object filter in quotes. Everything else works.
This workaround did the trick. Thank you.
Expected behaviour
After setting up LDAP and subsequent synchronization via LDAP, the User Object Filter is ignored. Since there are a lot of objects in our domain, after 3-6 minutes the domain controller returns the result of the request, but we get a PHP error (memorylimit = 512M) (url is intentionally hidden)_:
As a result, synchronization does not occur.
Actual behaviour
Return objects (correct searchRequest) according to the User Object Filter (in this case, only those objects that are in a specific group)
Server configuration
Operating system: Debian GNU/Linux 11 (bullseye)
Web server: Apache/2.4.52 (Debian)
Database: 10.5.12-MariaDB-0+deb11u1 Debian 11
PHP version: 7.4.25
Teampass version: 3.0.0.10
LDAP Settings:
Below is the sniffing result that occurs during LDAP synchronization: