Bug 50541

Summary: JNDIRealm: support configuring LDAP sizeLimit (countLimit in SearchControls)
Product: Tomcat 7 Reporter: Aleksander Adamowski <apache>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: trunk   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Aleksander Adamowski 2011-01-04 11:35:07 UTC
Today, when enabling an application's LDAP authentication through Active Directory, I've discovered that with apparently a completely correct LDAP Realm configuration on the Tomcat side, AD returns the following error all the time:

LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906DD, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1771

After some hours of Googling and experimenting with referrals, subtree search modes et cetera, I've found out (through network packet analysis) that the problem is caused by LDAP sizeLimit being set to zero in the searches sent by Tomcat.

After closer inspection of Tomcat source code, I've dug out this class:


And this code fragment in the method getUserBySearch(DirContext context, String username, String[] attrIds):

        // Set up the search controls
        SearchControls constraints = new SearchControls();

        if (userSubtree) {
        else {

        // Specify the attributes to be retrieved
        if (attrIds == null)
            attrIds = new String[0];

        NamingEnumeration<SearchResult> results =
            context.search(userBase, filter, constraints);

As you can see (http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm), currently there's no way to customize other search controls than search scope and returning attributes by means of XML configuration.

In javax.naming.directory.SearchControls, the LDAP sizeLimit is determined by the countLimit property:

I propose to create a new configuration attribute for the Realm XML element that would enable setting this limit, and naming it "sizeLimit" (not "countLimit" like the Java property, because in LDAP world people are used to the former term). While we're at it, adding "timeLimit" (measured in milliseconds) attribute would be also nice.

So for example one would be able to set 1000 entries sizeLimit and 5 seconds timeLimit this way:

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
Comment 1 Mark Thomas 2011-01-04 12:35:16 UTC
Fixed in 7.0.x and will be included in 7.0.6 onwards.
Comment 2 Marek Wasilewski 2011-01-05 06:33:18 UTC
(In reply to comment #1)
> Fixed in 7.0.x and will be included in 7.0.6 onwards.

Areyou planning on applying this fix also to the 6.0.x version?
Comment 3 Mark Thomas 2011-01-05 06:36:35 UTC
There are no such plans at present.