JBoss Community Archive (Read Only)

RHQ 4.9

Supporting LDAP query page control

Supporting LDAP query page control

A customer has requested that RHQ support LDAP query page controls specifically for RHQ LDAP Authorization support. What follows in an explanation of why such requests may have validity and an understanding of what would need to change to support LDAP query page controls.

What is LDAP query page control?

Quoting RFC 2696, this functionality was added with LDAPv3 and "allows a client to control the rate at which an LDAP server returns the results of an LDAP search operation". There are several motivations behind this RFC:

  • LDAP clients with limited bandwidth

  • LDAP clients with limited resources unable to parse entire response

  • Some LDAP servers explicitly limit a)query results and/or b)query timeout to constrain performance and limit abuse. Supporting RFC 2696 allows controlled access to large/long query results.

While the first two reasons are not relevant for RHQ + LDAP integration the final point is significant as larger organizations increasingly:

  1. can have tens of thousands of LDAP groups already defined

  2. are implementing query limit security and performance policies

While reason 1) may have a work around if there are additional search query parameters that can be applied during LDAP integration to coincidentally or intentionally filter out the 'right' LDAP groups that may be applicable for LDAP authorization. Reason 2 is the most clear justification of why LDAP query page control should be supported for larger organizations.

Client side LDAP query page control

While LDAP client support for RFC 2696 is available in JDK 6 but server side support is not guaranteed across all LDAP servers. Red Hat Directory Server and MS Active Directory are examples of two servers that support both policies to limit server side query access and client side query page control as described by RFC 2696.

To summarize:

  1. LDAP clients submit a request to the server with a request page size of N that is less than the search result amount.

  2. LDAP server responds with:

    1. N results

    2. indication of total search result count

    3. essentially a session cookie for using in requesting remaining paged results.

  3. LDAP client iterates over the rest of the results with the 'session cookie'

RHQ recommendation

Given that some of the supported LDAP servers do support server side request throttling and configurable page sizes, I think we should:

  1. Add a new LDAP setting to support configuring a server side paging size. The assumption is that this value is set to the largest page size supported.

  2. If 'server side LDAP paging' is defined then we should:

    1. Used configured page size when querying the available external LDAP groups for assignment to "LDAP" focused RHQ roles.

      1. Specifically this means we would page through the available LDAP groups to add them all to available groups, assuming table filtering is used to display/search for specific groups for assignment.

    2. Evaluate current LDAP Group queries for refactoring so as to:

      1. avoid unnecessary performance hits for extremely large queries

      2. avoid being affected incomplete query results that could be returned from current LDAP servers that support query throttling but don't properly support ldap client querying as described by RFC 2696.

Current LDAP group assignment UI

images/author/download/attachments/73140022/LdapGroupAssignment.jpg

JBoss.org Content Archive (Read Only), exported from JBoss Community Documentation Editor at 2020-03-13 08:45:20 UTC, last content change 2013-09-18 19:44:01 UTC.