search

nilsteampassnet / TeamPass

Collaborative Passwords Manager
https://www.teampass.net
1.65k stars 538 forks source link

LDAP sync ignores User Object Filter #3040

Open igorehan opened 2 years ago

igorehan commented 2 years ago

Expected behaviour

After setting up LDAP and subsequent synchronization via LDAP, the User Object Filter is ignored. Since there are a lot of objects in our domain, after 3-6 minutes the domain controller returns the result of the request, but we get a PHP error (memorylimit = 512M) (url is intentionally hidden)_:

PHP Fatal error: Allowed memory size of 536870912 bytes exhausted (tried to allocate 20480 bytes) in /var/www/teampass/includes/libraries/LdapRecord/Ldap.php on line 18, referer: https://url/index.php?page=users

As a result, synchronization does not occur.

Actual behaviour

Return objects (correct searchRequest) according to the User Object Filter (in this case, only those objects that are in a specific group)

Server configuration

Operating system: Debian GNU/Linux 11 (bullseye)

Web server: Apache/2.4.52 (Debian)

Database: 10.5.12-MariaDB-0+deb11u1 Debian 11

PHP version: 7.4.25

Teampass version: 3.0.0.10

LDAP Settings: image

Below is the sniffing result that occurs during LDAP synchronization: image

nilsteampassnet commented 2 years ago

Hi @igorehan I believe an optimization has to be done here. Being that said, I will investigate. Can I just have an idea of the number of objects in your ad?

igorehan commented 2 years ago

In my case (according to the filter that was the result of sniffing), 18818 objects are returned. But absolutely everything gets here: user accounts, contacts, computer accounts, groups, containers, HealthMailbox accounts (from Exchange Server)...

I don't think there is anything to optimize here. It is only necessary that "ldap_search" contains the User Object Filter, and not the default one, which requests, roughly speaking, everything that is in AD. Again, why does Teampass need all the objects? It should only be interested in user accounts: (&(objectCategory=person)(objectClass=user)) https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

In my User Object Filter (members of the same group) should return only 10-15 objects - user accounts. And those who do not specify the User Object Filter should understand that what they require from the system, especially at a large scale, is doing something wrong, and a User Object Filter is needed.

igorehan commented 1 year ago

For the time being, I get by with the fact that in the includes/libraries/LdapRecord/Ldap.php file, on lines 235 and 236 (relevant for 885a31967239f1a6d56e1016b3052eac47ce170b) (ldap_search call), instead of $filter I write my user object filter in quotes. Everything else works.

theLockesmith commented 1 year ago

For the time being, I get by with the fact that in the includes/libraries/LdapRecord/Ldap.php file, on lines 235 and 236 (relevant for 885a31967239f1a6d56e1016b3052eac47ce170b) (ldap_search call), instead of $filter I write my user object filter in quotes. Everything else works.

This workaround did the trick. Thank you.