Skip to content

Commit

Permalink
Correct Default for MaximumPageSize (#20453) (#20638)
Browse files Browse the repository at this point in the history
* default max page size for config

* Add changelog

* update test int to *int

* add testing defaults

* update default to -1, i.e. dont paginate

* update test

* Add error message for invalid search

* Make 0 the default

* cleanup

* Add to known issues doc

* Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx

* Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx



* Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx



* Update website/content/docs/upgrading/upgrade-to-1.12.x.mdx



* Add workaround to docs

* Update changelog/20453.txt



---------

Co-authored-by: Luis (LT) Carbonell <lt.carbonell@hashicorp.com>
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com>
  • Loading branch information
4 people authored May 17, 2023
1 parent 19b5648 commit 3d45d61
Show file tree
Hide file tree
Showing 8 changed files with 42 additions and 11 deletions.
3 changes: 3 additions & 0 deletions changelog/20453.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
```release-note:bug
auth/ldap: Set default value for `max_page_size` properly
```
2 changes: 1 addition & 1 deletion sdk/helper/ldaputil/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -536,7 +536,7 @@ func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string,
if cfg.UseTokenGroups {
entries, err = c.performLdapTokenGroupsSearch(cfg, conn, userDN)
} else {
if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize >= 0 {
if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize > 0 {
entries, err = c.performLdapFilterGroupsSearchPaging(cfg, paging, userDN, username)
} else {
entries, err = c.performLdapFilterGroupsSearch(cfg, conn, userDN, username)
Expand Down
5 changes: 2 additions & 3 deletions sdk/helper/ldaputil/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ import (
"encoding/pem"
"errors"
"fmt"
"math"
"strings"
"text/template"

Expand Down Expand Up @@ -236,8 +235,8 @@ Default: ({{.UserAttr}}={{.Username}})`,

"max_page_size": {
Type: framework.TypeInt,
Description: "The maximum number of results to return for a single paged query. If not set, the server default will be used for paged searches. A requested max_page_size of 0 is interpreted as no limit by LDAP servers. If set to a negative value, search requests will not be paged.",
Default: math.MaxInt32,
Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.",
Default: 0,
},
}
}
Expand Down
2 changes: 1 addition & 1 deletion sdk/helper/ldaputil/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ var jsonConfigDefault = []byte(`
"username_as_alias": false,
"request_timeout": 90,
"connection_timeout": 30,
"max_page_size": 2147483647,
"max_page_size": 0,
"CaseSensitiveNames": false,
"ClientTLSCert": "",
"ClientTLSKey": ""
Expand Down
5 changes: 2 additions & 3 deletions website/content/api-docs/auth/ldap.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -94,11 +94,10 @@ This endpoint configures the LDAP auth method.
returning _user_ objects, use: `memberOf`. The default is `cn`.
- `username_as_alias` `(bool: false)` - If set to true, forces the auth method
to use the username passed by the user as the alias name.
- `max_page_size` `(int: math.MaxInt32)` - If set to a value greater than 0, the LDAP
- `max_page_size` `(int: 0)` - If set to a value greater than 0, the LDAP
backend will use the LDAP server's paged search control to request pages of
up to the given size. This can be used to avoid hitting the LDAP server's
maximum result size limit. A value of 0 will be interpreted by the LDAP
server as unlimited. If set to -1, the LDAP backend will not use the
maximum result size limit. Otherwise, the LDAP backend will not use the
paged search control.

@include 'tokenfields.mdx'
Expand Down
2 changes: 1 addition & 1 deletion website/content/docs/auth/ldap.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ Use `vault path-help` for more details.
### Other

- `username_as_alias` (bool, optional) - If set to true, forces the auth method to use the username passed by the user as the alias name.
- `max_page_size` (int, optional) - The maximum number of results to return for a single LDAP query. This is useful for preventing large queries from being run against the LDAP server. The default is the maximum value for an int32.
- `max_page_size` (int, optional) - If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.

## Examples:

Expand Down
17 changes: 16 additions & 1 deletion website/content/docs/upgrading/upgrade-to-1.11.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,19 @@ API path by setting the [bool config option](/api-docs/secret/databases/elasticd

@include 'raft-retry-join-failure.mdx'

@include 'tokenization-rotation-persistence.mdx'
@include 'tokenization-rotation-persistence.mdx'

### LDAP Pagination Issue

There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in
an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`. The issue
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.

As a workaround, disable paged searching using the following:
```shell-session
vault write auth/ldap/config max_page_size=-1
```

#### Impacted Versions

Affects Vault 1.11.10.
17 changes: 16 additions & 1 deletion website/content/docs/upgrading/upgrade-to-1.12.x.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ It will produce errors in Vault Server's logs such as:
error=
| 1 error occurred:
| * panic generating audit log
|
|
```

As a workaround, [listing plugins by type](/api-docs/system/plugins-catalog#list-plugins-1)
Expand Down Expand Up @@ -184,3 +184,18 @@ Affects version 1.12.3. A fix will be released in 1.12.4.
@include 'tokenization-rotation-persistence.mdx'

@include 'ocsp-redirect.mdx'

### LDAP Pagination Issue

There was a regression introduced in 1.12.6 relating to LDAP maximum page sizes, resulting in
an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`. The issue
occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration.

As a workaround, disable paged searching using the following:
```shell-session
vault write auth/ldap/config max_page_size=-1
```

#### Impacted Versions

Affects Vault 1.12.6.

0 comments on commit 3d45d61

Please sign in to comment.