xwikisas/application-ldapuserimport

Referral exception sometimes thrown upon search of users

Closed this issue · 3 comments

lucaa commented

For some searches (not clear which ones), the following exception is logged by the ldap user import:

[...] xwiki/bin/get/LDAPUserImport/LDAPUserImportService] WARN  i.DefaultLDAPUserImportManager - Failed to get results 
com.novell.ldap.LDAPReferralException: Referral
	at com.novell.ldap.LDAPSearchResults.next(LDAPSearchResults.java:253)
	at org.xwiki.contrib.ldap.PagedLDAPSearchResults.next(PagedLDAPSearchResults.java:182)
	at com.xwiki.ldapuserimport.internal.DefaultLDAPUserImportManager.getUsers(DefaultLDAPUserImportManager.java:247)
	at com.xwiki.ldapuserimport.internal.DefaultLDAPUserImportManager.getUsers(DefaultLDAPUserImportManager.java:154)
	at com.xwiki.ldapuserimport.script.LDAPUserImportScriptService.getUsers(LDAPUserImportScriptService.java:54)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
        [...]

The referral topic seems to be related to the ldap server returning, as a result, a reference to other ldap servers (on which searches would need to be performed), probably for some sort of "aggregation" or "proxy"-ing of ldap servers (i'm not at all familiar with the topic).

This seems to have been handled in the past as https://jira.xwiki.org/browse/XWIKI-2388 and https://jira.xwiki.org/browse/XWIKI-6070 .
I propose to do the following as part of the ticket:

  • diagnose the consequences of this exception: what is the functional impact of this exception? Are there missing results in the search? Does this create a desynchronization between the accounts that can connect on the wiki using ldap authentication and the accounts that can be imported ?
  • fix these consequences, if possible
  • if there are no functional consequences, handle the exception better so that it still displays (as a warning) but doesn't pollute the logs.
lucaa commented

The stacktrace is from version 1.0.3 of this extension, so the line numbers are referring the code at that version.

lucaa commented

I found, in the documentation of the setReferralFollowing() function used here https://github.com/xwiki-contrib/ldap/blob/master/ldap-authenticator/src/main/java/org/xwiki/contrib/ldap/XWikiLDAPConnection.java#L218 , that the automatic following only works if the URL received is an LDAP url (ldap://) so indeed the logs added by @acotiuga in 9417d58 should help understand better the circumstances in which this occurs.

oanalavinia commented

Closed by #56, specifically by https://jira.xwiki.org/browse/LDAP-119

  • 👍1
  • ❤️1