Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id EA4B8200B81 for ; Tue, 13 Sep 2016 20:53:41 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id E8FE3160AD2; Tue, 13 Sep 2016 18:53:41 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id E2ED9160AAA for ; Tue, 13 Sep 2016 20:53:40 +0200 (CEST) Received: (qmail 28990 invoked by uid 500); 13 Sep 2016 18:53:35 -0000 Mailing-List: contact user-help@guacamole.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.incubator.apache.org Delivered-To: mailing list user@guacamole.incubator.apache.org Received: (qmail 28977 invoked by uid 99); 13 Sep 2016 18:53:35 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 13 Sep 2016 18:53:35 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id A845F1864E6 for ; Tue, 13 Sep 2016 18:53:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id ewrr3Xlb-DiE for ; Tue, 13 Sep 2016 18:53:32 +0000 (UTC) Received: from mail-vk0-f53.google.com (mail-vk0-f53.google.com [209.85.213.53]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 9E4F85FD3F for ; Tue, 13 Sep 2016 18:53:32 +0000 (UTC) Received: by mail-vk0-f53.google.com with SMTP id f76so194433778vke.0 for ; Tue, 13 Sep 2016 11:53:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=xjLcy2GoqWd2sfbLhcomCOLmSKcjO9WTMEorXPktrVo=; b=rJuuR/xaBS0d0Wa6uFPuiaJ5L8PlzxWJLYn4wLPedngSZhNyHudxranrhO4n4QVfLG FjdiEsHv4lybmjw2slnfvuNcmumNzuFvzWVHJ5CoyDgt3v+TUgJvkpoIRQva2WgGdmYL pbvS8MyzqZd2OgXan4BJsVF6tp9aF9IlYn9R8KwTHeO4ta3mob6oCbVKBIMu82+miBc2 ztFlwXcl0c/1iLWbXxUcD3BbNpEu8YCstj6BwjiQ2t4QKW8R5rGvNBOh3kPULfHG8vlH SDnShQrJOInAA+r8PdIvjXvZ//zGIIjWQq2HxQWcdkg9xSQAbWwfTsRxWOgxkkTSalkV on/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=xjLcy2GoqWd2sfbLhcomCOLmSKcjO9WTMEorXPktrVo=; b=I3pnZ23WJ2BPjxXWGo6KlAvT9Vx+7ITp4X68SuiomtTQYetXQjGafQ7S9IoJh7/zXt q6vgmEaN3CLDPy4mqYUXfqAY50IyL+J6Hr3BgUxf+vSie7pc6R/XeOrZUyAnOk+DCb3t wPKRJP7A2Mi2sVKDYKDvt4Kqk4h+9+KvoNlE0p6DW8xnpJGw3DSRyADqS1gfWGjt4NGy W2Qdy0inXFpgSbmZE3okpb1pQ6qVZsdSZq7L2HJIwZvTCt5ndIlscFP6hkkuH8w8kCET bxokW48wbnfBOpqGK6T8IZgJCqICB0yfNHjEylb/ligILiLkG7rCXgAP9iVNNCX8yGhb tB4g== X-Gm-Message-State: AE9vXwPcqUOSbg+otoe2HGJdAG+hM51/QnxMnzWlWNHYL0Oa7lqjbir2qWOlskyz+OyuDYtVNT3ZcMsVHDqImQ== X-Received: by 10.31.50.70 with SMTP id y67mr2406337vky.48.1473792811859; Tue, 13 Sep 2016 11:53:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.64.156 with HTTP; Tue, 13 Sep 2016 11:53:31 -0700 (PDT) In-Reply-To: References: From: Peter Burdine Date: Tue, 13 Sep 2016 11:53:31 -0700 Message-ID: Subject: Re: LDAPConnection a size limit of 1000 ? To: user@guacamole.incubator.apache.org Content-Type: multipart/alternative; boundary=001a114316d4060733053c6821c2 archived-at: Tue, 13 Sep 2016 18:53:42 -0000 --001a114316d4060733053c6821c2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable I thought that was the case. That just means worst case, I have to create the user in the DB manually (with the correct matching user name), then assign the connections until 0.9.10 comes out and the limit is increased. Thanks for the clarification! On Tue, Sep 13, 2016 at 12:18 AM, Mike Jumper wrote: > The issue should only affect the ability to see the LDAP users in the > admin pages. That's the only place that a query retrieving all users > is attempted. > > The authentication process involves either (1) binding using a DN > derived directly from the username provided or (2) binding using a > dedicated search DN for the sake of querying the DN of the user having > the username provided, and then binding as THAT user. At most, > authentication will involve retrieving a single entry; nothing near > the default limit of 1000 entries. > > - Mike > > > On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine wrote= : > > Sorry to bring this up again. I am looking to use this to setup a syst= em > > that has just over 1000 users. I am planning on using LDAP for auth, b= ut > > MySQL for connectivity data. Does this issue affect the ability for so= me > > users to login, or does it just affect the ability to see all of the LD= AP > > users in the admin pages? I don't see this info in the Jira ticket or = PR > > discussion. > > > > Thanks, > > Peter > > > > On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner > > wrote: > >> > >> Hey Herve, > >> > >> I see that you created the pull request and associated ticket. Great! > >> Let's move the discussion over to Github at this point. > >> > >> James > >> > >> > >> > >> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl > >> wrote: > >>> > >>> Hi James, > >>> did my homework (though this was my first time with git :p ). > >>> The code in itself is not dirty (I hope ;), I just meant that it woul= d > >>> better to get the results from ldap as mentionned by RFC 2696. But IM= HO > >>> nowadays we can get more than 1000 results using a search in a ldap > >>> directory... > >>> > >>> Herv=C3=A9 > >>> > >>> > >>> > >>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner > >>> wrote: > >>>> > >>>> Greetings Herve, > >>>> > >>>> In order to accept code changes into the project, we'll need a pull > >>>> request on GitHub, and a corresponding JIRA issue in the Apache JIRA= . > See > >>>> our contribution guidelines for more information. > >>>> > >>>> As a side note, we're always happy to accept code contributions from > the > >>>> community, but we do try to make sure that the contributions are > always up > >>>> to our code quality standards. If you feel that your patch is a bit > dirty, > >>>> it may have to be cleaned up a bit before we're ready to accept it > upstream. > >>>> > >>>> James > >>>> > >>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl > >>>> wrote: > >>>>> > >>>>> Hi, > >>>>> If your active directory contains more than 1000 users in the searc= h > >>>>> OU, you'll need to : > >>>>> - Configure your active directory to extend the MaxPageSize limit > >>>>> (default 1000) > >>>>> https://technet.microsoft.com/en-us/library/cc770976%28v=3Dws. > 11%29.aspx > >>>>> - Use the included patch (a bit dirty, as it would be better to fet= ch > >>>>> results according to the max page size, but works for me) : > >>>>> - it enable the possibility to get more than 1000 results for a > ldap > >>>>> request for the guacamole-client. You will have to add > ldap-maxresults: 2000 > >>>>> (or the value you need) in your guacamole.properties file. > >>>>> > >>>>> Have fun. > >>>>> Herv=C3=A9 > >>>> > >>>> > >>> > >> > > > --001a114316d4060733053c6821c2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
I thought that was the case.=C2=A0 That just means wo= rst case, I have to create the user in the DB manually (with the correct ma= tching user name), then assign the connections until 0.9.10 comes out and t= he limit is increased.

Thanks for the clarification!
=

On Tue, Sep 13, 2= 016 at 12:18 AM, Mike Jumper <mike.jumper@guac-dev.org> wrote:
The issue should only affect th= e ability to see the LDAP users in the
admin pages. That's the only place that a query retrieving all users is attempted.

The authentication process involves either (1) binding using a DN
derived directly from the username provided or (2) binding using a
dedicated search DN for the sake of querying the DN of the user having
the username provided, and then binding as THAT user. At most,
authentication will involve retrieving a single entry; nothing near
the default limit of 1000 entries.

- Mike


On Mon, Sep 12, 2016 at 5:34 PM, Peter Burdine <pburdine@gmail.com> wrote:
> Sorry to bring this up again.=C2=A0 I am looking to use this to setup = a system
> that has just over 1000 users.=C2=A0 I am planning on using LDAP for a= uth, but
> MySQL for connectivity data.=C2=A0 Does this issue affect the ability = for some
> users to login, or does it just affect the ability to see all of the L= DAP
> users in the admin pages?=C2=A0 I don't see this info in the Jira = ticket or PR
> discussion.
>
> Thanks,
> Peter
>
> On Sun, Aug 14, 2016 at 7:17 PM, James Muehlner
> <james.muehlner@guac= -dev.org> wrote:
>>
>> Hey Herve,
>>
>> I see that you created the pull request and associated ticket. Gre= at!
>> Let's move the discussion over to Github at this point.
>>
>> James
>>
>>
>>
>> On Sun, Aug 14, 2016 at 8:05 AM, Herve Guehl <herve.guehl@gmail.com>
>> wrote:
>>>
>>> Hi James,
>>> did my homework (though this was my first time with git :p ).<= br> >>> The code in itself is not dirty (I hope ;), I just meant that = it would
>>> better to get the results from ldap as mentionned by RFC 2696.= But IMHO
>>> nowadays we can get more than 1000 results using a search in a= ldap
>>> directory...
>>>
>>> Herv=C3=A9
>>>
>>>
>>>
>>> On Sun, Aug 14, 2016 at 2:54 AM, James Muehlner
>>> <james.muehl= ner@guac-dev.org> wrote:
>>>>
>>>> Greetings Herve,
>>>>
>>>> In order to accept code changes into the project, we'l= l need a pull
>>>> request on GitHub, and a corresponding JIRA issue in the A= pache JIRA. See
>>>> our contribution guidelines for more information.
>>>>
>>>> As a side note, we're always happy to accept code cont= ributions from the
>>>> community, but we do try to make sure that the contributio= ns are always up
>>>> to our code quality standards. If you feel that your patch= is a bit dirty,
>>>> it may have to be cleaned up a bit before we're ready = to accept it upstream.
>>>>
>>>> James
>>>>
>>>> On Fri, Aug 5, 2016 at 12:45 PM, Herve Guehl <herve.guehl@gmail.com>
>>>> wrote:
>>>>>
>>>>> Hi,
>>>>> If your active directory contains more than 1000 users= in the search
>>>>> OU, you'll need to :
>>>>>=C2=A0 - Configure your active directory to extend the = MaxPageSize limit
>>>>> (default 1000)
>>>>> https:/= /technet.microsoft.com/en-us/library/cc770976%28v=3Dws.11%29.aspx=
>>>>> - Use the included patch (a bit dirty, as it would be = better to fetch
>>>>> results according to the max page size, but works for = me) :
>>>>>=C2=A0 =C2=A0 - it enable the possibility to get more t= han 1000 results for a ldap
>>>>> request for the guacamole-client. You will have to add= ldap-maxresults: 2000
>>>>> (or the value you need) in your guacamole.properties f= ile.
>>>>>
>>>>> Have fun.
>>>>> Herv=C3=A9
>>>>
>>>>
>>>
>>
>

--001a114316d4060733053c6821c2--