Infinite Scale 2.0.0 problems with external LDAP

I’ve tested Infinite Scale 2.0.0 with an external read-only LDAP server and am struggling with the following problems:

  • User management page tries to get all the users (and their groups) from LDAP every time it is opened. This does not scale and takes al long time even with only a few hundred users
  • User management page doesn’t properly handle the case where LDAP server limits the number of entries returned to a query to e.g. (several pages of) 500 entries. Trying to get all (>100k) users in this case resuts in LDAP Result Code 4 “Size Limit Exceeded”, as seen in the browser console. This is not an error as a limited number of entries were actually returned. But it is interpreted as an error resulting in a 404 status and no users being displayed at all.
  • User management does not allow to set roles for users. It displays “No options available.” rather than a list of possible roles. Can roles not be managed when LDAP server is read-only?

Steps to reproduce

  1. Set up Infinite Scale 2.0.0 with a read-only LDAP server
  2. Set a size limit on the LDAP server so it doesn’t return all users to a wildcard query to see the problem with size limit
  3. Log in as admin
  4. Open user management page
  5. Retry without the size limit on the LDAP server and try to manage roles

Do others also see these problems? Am I missing something? Any help appreciated.

Update: Displaying and updating roles failed because user-management also tries to get all the groups from LDAP which also fails if the number of entries returned is limited by the LDAP server. Same problem as with trying to get all the users above.

After getting all the users and all the groups user-management then tries to get the role assignments for all the users. This fails for all the users who haven’t logged in yet. After the three oerations on all the users/groups have finished - and quite a wait - the user management page displays and role assignment works.

Remaining problems:

  • user-management does not work at all when LDAP limits the number of entries returned to wildcard queries.
  • user-management tries to retrieve information about all users/groups before loading. This does not scale. E.g. with 279 users and 56 groups user-managemnt takes 45 seconds to load.

Yes, currently the UI and the Rest APIs for user / group management don’t handle the sizelimit (and other administrative limits) very well.

Regarding slowness. We already track the LDAP part of that is this issue Lot's of redundant LDAP queries of listing all groups with members · Issue #4278 · owncloud/ocis · GitHub. But there is also enhancements needed in our Rest APIs and UI to allow proper filtering.

Apart from handling the sizelimit the user-management UI should allow filtering users immediately rather than only after the operations on all the users. Even just a few letters entered in the user filter would reduce the number of required operations significantly. In our specific case LDAP never returns all the users so a filter is always required. It would also be quite handy to be able to limit search to users who have acutally logged in before.

1 Like