LDAP Team sync improvements

- Add a large amount of additional logging
- Handle NO_SUCH_OBJECT in AD searches
- Only check if *a* record exists when adding syncing, as opposed to loading the entire search set
This commit is contained in:
Joseph Schorr 2017-04-26 20:26:12 -04:00
parent a9337ff484
commit dd1addee29

View file

@ -274,7 +274,7 @@ class LDAPUsers(FederatedUsers):
if err is not None: if err is not None:
return (False, err) return (False, err)
if not list(it): if not next(it, False):
return (False, 'Group does not exist or is empty') return (False, 'Group does not exist or is empty')
return (True, None) return (True, None)
@ -301,24 +301,48 @@ class LDAPUsers(FederatedUsers):
for user_search_dn in self._user_dns: for user_search_dn in self._user_dns:
# Conduct the initial search for users that are a member of the group. # Conduct the initial search for users that are a member of the group.
if has_pagination: logger.debug('Conducting LDAP search of DN: %s and filter %s', user_search_dn, search_flt)
msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc], try:
attrlist=attributes) if has_pagination:
else: msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes) serverctrls=[lc], attrlist=attributes)
else:
msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
except ldap.LDAPError as lde:
logger.exception('Got error when trying to search %s with filter %s: %s',
user_search_dn, search_flt, lde.message)
break
while True: while True:
if has_pagination: try:
_, rdata, _, serverctrls = conn.result3(msgid) if has_pagination:
else: _, rdata, _, serverctrls = conn.result3(msgid)
_, rdata = conn.result(msgid) else:
_, rdata = conn.result(msgid)
# Yield any users found. # Yield any users found.
for userdata in rdata: found_results = 0
yield self._build_user_information(userdata[1]) for userdata in rdata:
found_results = found_results + 1
yield self._build_user_information(userdata[1])
logger.debug('Found %s users in group %s; %s', found_results, user_search_dn,
search_flt)
except ldap.NO_SUCH_OBJECT as nsoe:
logger.debug('NSO when trying to lookup results of search %s with filter %s: %s',
user_search_dn, search_flt, nsoe.message)
except ldap.LDAPError as lde:
logger.exception('Error when trying to lookup results of search %s with filter %s: %s',
user_search_dn, search_flt, lde.message)
break
# If no additional results, nothing more to do.
if not found_results:
break
# If pagination is disabled, nothing more to do. # If pagination is disabled, nothing more to do.
if not has_pagination: if not has_pagination:
logger.debug('Pagination is disabled, no further queries')
break break
# Filter down the controls with which the server responded, looking for the paging # Filter down the controls with which the server responded, looking for the paging
@ -332,11 +356,13 @@ class LDAPUsers(FederatedUsers):
# then conduct the next search. # then conduct the next search.
cookie = lc.cookie = pctrls[0].cookie cookie = lc.cookie = pctrls[0].cookie
if cookie: if cookie:
msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, logger.debug('Pagination is supported for this LDAP server; trying next page')
serverctrls=[lc], attrlist=attributes) msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
continue serverctrls=[lc], attrlist=attributes)
continue
else: else:
# No additional results. # No additional results.
logger.debug('Pagination is supported for this LDAP server but on last page')
break break
else: else:
# Pagination is not supported. # Pagination is not supported.