Bug #5504: LDAP error when defining group criteria - Rudder - Issue Tracker

Actions

Copy link

Bug #5504

closed

LDAP error when defining group criteria

Added by Dennis Cabooter about 10 years ago. Updated almost 9 years ago.

Status:

Released

Priority:

1 (highest)

Assignee:

Nicolas CHARLES

Category:

Web - Nodes & inventories

Target version:

2.6.18

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

UX impact:

User visibility:

Effort required:

Priority:

Name check:

Fix check:

Regression:

Description

If I try to create a Node Group, using a regex for searching, I get the following error:

[2014-09-08 16:59:59] ERROR com.normation.ldap.sdk.RoLDAPConnection - Ignored execption (configured to be ignored)
com.unboundid.ldap.sdk.LDAPSearchException: size limit exceeded
    at com.unboundid.ldap.sdk.LDAPConnection.search(LDAPConnection.java:3297) ~[unboundid-ldapsdk-2.3.4.jar:2.3.4]

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Updated by Vincent MEMBRÉ about 10 years ago

Category set to Web - Nodes & inventories
Assignee set to François ARMAND

Thansk Dennis, can you add the criteria you put in the regexp field ??

Thanks!

Actions

Copy link

Updated by Dennis Cabooter about 10 years ago

As discussed on IRC:

17:12 < Vince_McBuche> dnns: What is the value you entered ? so we can 
                       reproduce it :)
17:18 < dnns> software version regex .*winbind.*
17:18 < dnns> for your info:
17:18 < dnns> software version = winbind
17:18 < dnns> does work
17:18 < dnns> (but i need the regex)

Actions

Copy link

Updated by Dennis Cabooter about 10 years ago

When trying this at Search Nodes...

This doesn't work:

Software Name Regex rudder.*

This works:

Software Name = rudder-agent
Software Version Regex 2\.11\..*

Actions

Copy link

Updated by Dennis Cabooter about 10 years ago

In the last example, this:

Software Version Regex rudder.*

Should be this:

Software Name Regex rudder.*

Actions

Copy link

Updated by Vincent MEMBRÉ about 10 years ago

Thanks Dennis, i edited the comment!

Actions

Copy link

Updated by François ARMAND about 10 years ago

Status changed from New to 8

So, the problem is due to the number of software entries. In more details:

LDAP does not support regex matching on queries. So to handle them, we return all the entries to check for the regex and process the regex on the client side.

On the other hand, there is limits on the number of entries returned by the server.

The conjonction of the two factors lead to the error.

I think there is no reason to limit the number of returned entries, and we should just safe-guard with a time limit for requests.
An other solution is to pre-process the regex query to see if it can be more efficiently translated to a substring query, as it is the case here, so that we have far less response in the common cases.

An other think: we never ever delete software, meaning that their number is strictly rising and so that bug will appear at some point for any people using regex match on software.

I don't see any easy (i.e: without code in the webapp) workaround safe removing softwares from LDAP so that only actuall software will be re-added (and so that the total stay under the limit.

Actions

Copy link