LdapException: Size Limit Exceeded (4) #139
Comments
|
Related to #39 ??? |
|
As far as I can recall, this was done because the LDAP library we were using (the only one I'm aware of, or was at the time, for .NET/C#) didn't allow per-user queries. It could probably be chunked if required, or if it can do searches for the single user that's definitely ideal. Test env shouldn't be too complicated: you just need the |
|
Is that this library? https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard I'm no LDAP ninja but I think there are multiple ways to verify users.
|
|
Greetings, I have this problem on my organization with more than 1000 users to query from LDAP server and still facing "Base Search: Size Limit Exceeded" and "Failure: User Filter: Size Limit Exceeded". was wonder if there is any workaround to fix this problem. as side note I did change Page Size limit on my LDAP which is active directory but still no luck . |
|
I posted links to the LDAP library of how to do the ldap calls correctly. This needs to be done in the plugin code. If you're familiar with C# a PR is very welcomed I think! |
|
Greetings Sphaero, Thanks for your respond , unfortunately I don't have that knowledge and therefor can't implement those change into source code, would be nice if you could do us a favor and fix this problem as I've been using this plugin lately and due to increase users that access our media servers we are facing this problem right now. With kind regards, Parham |
That's not directly true. It depends on the search filter. In the default Configuration the SearchFilter is "(memberOf=CN=JellyfinUsers,DC=contoso,DC=com)" If you want to work with huge amount of users permitted to access jellyfin, it would be better to use the username in the SearchFilter. (&(memberOf:1.2.840.113556.1.4.1941:=CN=MyUserGroup,DC=Groups,DC=dummy,DC=local)(objectClass=user)(sAMAccountName=%ESCAPEDUSERNAME%)) A way could be, that the SearchFilter is dynamically build depending on the login attributes like that
Or maybe so that users are be able to use advanced ldap filtering techniques? |
|
That might work as well. Are you saying this is already implemented or that this could be easily implemented? |
|
Greetings, This not implemented as far as I know , I tried to modify LDAP query but still no luck with it. |
Yes, that is the correct library.
The problem with both examples, that we ran into, is that they seem to require knowing the It's probably worth revisiting, I'll see if I can spend some time on this over the next few days. |
What query did you use? |
|
I would like to allow users that are member of ALL-Media group able to login into media server , this group is about 5000 members , this is what I'm using right now : (memberOf=CN=Org-AllMedia,OU=Departments,OU=Security,OU=Domain Groups,DC=local,DC=com) |
|
Ah ok, I thought you already tried to adjust the plugin code accordingly as I described in one of my previous posts. - Since the LDAP filter currently doesn't have any info about which user is logging in, no further restriction can be made here. |
|
This actually ended up being fairly easy. It just wasn't obvious how best to use the I have an improved search system incoming. |
|
And, it's not, because I was working from a much older version of the plugin that didn't try to do stuff like case-insensitive name searching. That will never work with a filter-based approach and will need to be removed. |
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those queries. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
Why? Ldap search is case insensitive in most cases. (as long it's not a IA5String), usually you need to work with matching rules if you want it case sensitive. |
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those queries. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those queries. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those queries. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those queries. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those attributes. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with the new method, searches are case-insensitive, so the
option for case-insensitive username searches has been removed.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those attributes. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with this change, searches are case-insensitive due to the
case-insensitivity of LDAP search queries,, so the option for
case-insensitive username searches has been removed as obsolete.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
|
@h3ge Yep, I realized that - have a fairly robust implementation incoming (just ignore those various force-pushes above lol). |
joshuaboniface
added a commit
to joshuaboniface/jellyfin-ldap-plugin
that referenced
this issue
Feb 28, 2023
The previous implementation would search for all users that potentially
matched the (mandatory) configured search filter, then loop through the
results to find a user matching one of the attributes.
This method worked fine for small instances, but became unwieldy for
larger LDAP instances, and could even result in a Size Limit Exceeded
error for extremely large databases.
This commit introduces a better method by integrating the user search
component into the initial LDAP search by way of the search filter. This
will ideally result in only a single LDAP search result for a given user
rather than potentially dozens or hundreds, reducing both the runtime
complexity of the plugin as well as the load on the LDAP server.
This new method has two potential ways of generating the limited
search filter:
First, the existing search filter option may now accept a
"{username}" variable within it, which will be interpolated at runtime
based on what the user entered. This method allows for very complex
queries to be crafted at will, providing better administrator
flexibility and options.
Second, if no "{username}" variable is found within the search filter,
the filter will be modified at runtime to include all of the search
attributes combined with the username to generate a search query which
will return any matches between the username and those attributes. For
example, given attributes "uid" and "mail", a (base) search filter of
"(objectclass=mailUser)", and the entered username "joshua", the
following "real" search query would be produced:
(&(objectclass=mailUser)(|(uid=joshua)(mail=joshua)))
These two methods are, functionally, mutually exclusive: if the
search filter contains the "{username}" variable, the search attributes
will be ignored and may be blank/empty; on the other side, with valid
search attributes, it is no longer necessary to specify a search filter
at all, since there will still be a filter on the attributes and
username. Thus, the plugin now accepts blank input for both fields in
the configuration, though leaving both blank would not work properly.
In both cases with this change, searches are case-insensitive due to the
case-insensitivity of LDAP search queries,, so the option for
case-insensitive username searches has been removed as obsolete.
The new configuration is also backwards-compatible: if no changes are
made to the search filter, the second method above will be used and this
should continue to function exactly as expected.
Some debug messages have also been updated to provide a clearer picture
of what the plugin is doing at various steps and aid in troubleshooting.
An explanation of the two methods above is included in the plugin
configuration page, along with some rearranging of the options, to
assist users in configuring the two fields the way they want.
Closes jellyfin#139 jellyfin#34
Obsoletes PR jellyfin#71
Greetings Joshua, Glad that you are working to solve this problem. was wonder if you have any ETA on new release. Regards |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It seems this plugin is querying the full ldap database and tries to compare a username to the returned list of users? Correct?
jellyfin-plugin-ldapauth/LDAP-Auth/LDAPAuthenticationProviderPlugin.cs
Lines 382 to 396 in 3a5b07b
If that's the case I don't think this how this is supposed to be done. One should do an ldap search for the username attribute matching the username. If that returns a hit one can continue.
Am I missing something here? An ldap administrator wouldn't be happy with these queries I guess?
I would help with the code but I'm no C# dev so I would need help setting up a test env?
The text was updated successfully, but these errors were encountered: