LDAP Team sync improvements

- Add a large amount of additional logging
- Handle NO_SUCH_OBJECT in AD searches
- Only check if *a* record exists when adding syncing, as opposed to loading the entire search set
This commit is contained in:
Joseph Schorr 2017-04-26 20:26:12 -04:00
parent a9337ff484
commit dd1addee29

View file

@ -274,7 +274,7 @@ class LDAPUsers(FederatedUsers):
if err is not None:
return (False, err)
if not list(it):
if not next(it, False):
return (False, 'Group does not exist or is empty')
return (True, None)
@ -301,24 +301,48 @@ class LDAPUsers(FederatedUsers):
for user_search_dn in self._user_dns:
# Conduct the initial search for users that are a member of the group.
logger.debug('Conducting LDAP search of DN: %s and filter %s', user_search_dn, search_flt)
try:
if has_pagination:
msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, serverctrls=[lc],
attrlist=attributes)
msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
serverctrls=[lc], attrlist=attributes)
else:
msgid = conn.search(user_search_dn, ldap.SCOPE_SUBTREE, search_flt, attrlist=attributes)
except ldap.LDAPError as lde:
logger.exception('Got error when trying to search %s with filter %s: %s',
user_search_dn, search_flt, lde.message)
break
while True:
try:
if has_pagination:
_, rdata, _, serverctrls = conn.result3(msgid)
else:
_, rdata = conn.result(msgid)
# Yield any users found.
found_results = 0
for userdata in rdata:
found_results = found_results + 1
yield self._build_user_information(userdata[1])
logger.debug('Found %s users in group %s; %s', found_results, user_search_dn,
search_flt)
except ldap.NO_SUCH_OBJECT as nsoe:
logger.debug('NSO when trying to lookup results of search %s with filter %s: %s',
user_search_dn, search_flt, nsoe.message)
except ldap.LDAPError as lde:
logger.exception('Error when trying to lookup results of search %s with filter %s: %s',
user_search_dn, search_flt, lde.message)
break
# If no additional results, nothing more to do.
if not found_results:
break
# If pagination is disabled, nothing more to do.
if not has_pagination:
logger.debug('Pagination is disabled, no further queries')
break
# Filter down the controls with which the server responded, looking for the paging
@ -332,11 +356,13 @@ class LDAPUsers(FederatedUsers):
# then conduct the next search.
cookie = lc.cookie = pctrls[0].cookie
if cookie:
logger.debug('Pagination is supported for this LDAP server; trying next page')
msgid = conn.search_ext(user_search_dn, ldap.SCOPE_SUBTREE, search_flt,
serverctrls=[lc], attrlist=attributes)
continue
else:
# No additional results.
logger.debug('Pagination is supported for this LDAP server but on last page')
break
else:
# Pagination is not supported.