Comments (3)
Some more information: if I add the entry with a sub-set of values, then add more and more values with modification change requests, I can go beyond the threshold. And I can read back the entry with unboundid SDK.
So really, the problem seems to lie in the encoding of one attribute with a lots of values in one go.
from ldapsdk.
This is almost certainly a case of the directory server closing the connection rather than a problem with the LDAP SDK itself. Most directory servers impose a limit on the size of a request that the client can send, although that limit is usually configurable.
Imposing a limit on the maximum size of an LDAP request is an important safety feature because of the way that LDAP works at the protocol level. LDAP requests are encoded using the ASN.1 Basic Encoding Rules (BER), as described at https://ldap.com/ldapv3-wire-protocol-reference-asn1-ber/. A BER element contains three components:
- A byte (or multiple bytes in rare cases that you’re not likely to encounter in LDAP) that provides information about the type of data held in that element.
- One or more bytes that specify the number of bytes in the element’s value.
- An encoded representation of the element value.
Each LDAP message is encoded as a BER sequence, which is a kind of container that basically holds an array of other elements (the message ID, the body of the request or response, and an optional set of controls). But ultimately, each LDAP request and response is encapsulated in a BER element that has all of the other elements inside it.
When the server receives a request from the client, it first reads the the type and length of the BER element that holds the LDAP message, and then it needs to allocate enough memory to hold the value of that element. In this case, the client is sending a big request, and the server is refusing to allocate that much memory. It’s probably a relatively small amount of memory (maybe just a couple of megabytes), but it’s a safety mechanism nonetheless because it prevents a malicious client from establishing a connection and sending the start of a BER message that says the element value is something big, like a gigabyte, and causing the server to allocate that much memory. If the client establishes a lot of connections that all do that, it can cause the server to run out of memory and crash or start swapping or exhibit some other kind of erratic behavior.
The directory server’s only real safeguard against this type of attack is to terminate any connection on which a client indicates that it wants to send a big request. It could send a notice of disconnection unsolicited notification before it does that to explain why it’s closing the connection, but not all servers do that, and you would have also needed to register an unsolicited notification handler in the LDAP SDK to be able to get that notification anyway.
But the good news is that the maximum request size limit is probably configurable. Most servers have a relatively low limit (I think it’s usually in the 1–5 megabyte range) since LDAP requests are typically pretty small, and about the only time you really run into this issue is when you’re trying to add a really big entry. But you can probably update the configuration to raise the limit. In the Ping Identity Directory Server, there’s a max-request-size property in the LDAP connection handler configuration. In directory servers derived from the Netscape Directory Server codebase (including the Fedora 389 Directory Server, Red Hat Directory Server, and Oracle DSEE), I think that the configuration attribute is called nsslapd-maxbersize. I’m not as familiar with the configuration for other types of servers like OpenLDAP or Active Directory, but there’s probably some way to raise the limit. I’d recommend checking the documentation or using the support channels for the server that you’re using to see what the options are for the server that you’re using.
from ldapsdk.
Many, many thanks for your answer. I'm using openldap, and I was almost sure that there was such a parameter to change. I had already tested that the request was arriving to openldap and didn't saw anything, so I though that the problem was before that.
In fact, there is a little message "ber_get_next on fd 10 failed errno=34 (Numerical result out of range)" which only appears in high debug and was lost in the middle of everything.
With that in hand, it was easier to find that the correct parameter is 'sockbuf_max_incoming_auth':
sockbuf_max_incoming_auth <integer>
Specify the maximum incoming LDAP PDU size for authenticated sessions. The default is 4194303.
Inceasing that parameter in slapd.conf made the deal.
Many thanks to have forced me to double (decuple, actually) check!
from ldapsdk.
Related Issues (20)
- Is there way to use objectGuid instead of dn in API ? HOT 1
- What is the best option to remove object by objectGuid ? HOT 2
- Is there way to add user to multiple groups using single ldap request ? HOT 5
- How to get group by primaryGroupId ? How to convert primaryGroupId to groupDn? HOT 8
- How to search entry by operational attribute (PrimaryGroupToken)? HOT 2
- search with ALL_OPERATIONAL_ATTRIBUTES doesn't return any operational attributes HOT 2
- Filter.createSubstringFilter with "subInitial" or "subFinal" set to an empty string HOT 1
- Unable to login with AdditionalBindCredentials when certain OperationTypes are part of AuthenticationRequiredOperationTypes (Supressing Anonymous Connections) HOT 3
- Metric to show potentially available connections HOT 3
- Memory 'leak' in GSSAPIBindRequest HOT 5
- transactions support in unboundid ldap HOT 3
- Is there way to encrypt LDAP password ? (at least Base 64) HOT 1
- Is there way to get page number N during pagination request without iterating over previous pages ? HOT 13
- IdleTimeout parameter for pooled connections HOT 6
- KeyStoreKeyManager doesn't expose alternative KeyStore loading mechanisms. HOT 4
- InMemoryDirectoryServer is single threaded and blocks for searches HOT 1
- Simple bind fails if password contains latin character HOT 2
- multihomed ldap server HOT 3
- Unable to read or decode an LDAP message: Invalid value length of 0 for an ASN.1 HOT 2
- Is there a way to get multiple entries by dn using a single ldap call? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldapsdk.