dependency-track icon indicating copy to clipboard operation
dependency-track copied to clipboard
verified publisher icon DependencyTrack

LDAP unable to handle large response

Open Azulath opened this issue 3 years ago • 6 comments

Current Behavior

DependencyTrack does not manage large LDAP responses properly, neither is it able to have separate search queries for users and groups. Thus, users are not mapped appropriately and new users do not belong to any teams and therefore must be mapped manually.

This message is shown in the log:

2023-02-15 14:11:49,854 WARN [LdapConnectionWrapper] Partial results returned. If this is an Active Directory server, try using port 3268 or 3269 in LDAP_SERVER_URL

Steps to Reproduce

  1. Enable LDAP and receive receive a large response

Expected Behavior

DT is able to handle large responses or it should have separate search queries for users and groups.

Dependency-Track Version

4.7.0

Dependency-Track Distribution

Container Image

Database Server

PostgreSQL

Database Server Version

No response

Browser

Mozilla Firefox

Checklist

Azulath avatar Feb 17 '23 09:02 Azulath

Same here. The suggestion in the log message to use port 3268 or 3269 does not help (port is not open here).

cpfeiffer avatar May 20 '25 06:05 cpfeiffer

Related: https://github.com/stevespringett/Alpine/issues/19

cpfeiffer avatar May 20 '25 07:05 cpfeiffer

@cpfeiffer So based on the Alpine issue you linked, this doesn't appear to be something we can solve programmatically?

nscuro avatar May 20 '25 08:05 nscuro

From my quick understanding it seems that this can only be fixed in Alpine.

cpfeiffer avatar May 20 '25 08:05 cpfeiffer

Some more background: In our case, this was actually a non-issue. The warning is just a warning that the ldap search would return more results iff it followed referrals. It doesn't, so it just returns the available results and logs the warning.

My confusion came from the fact that dt would not show me any ldap groups in the Administration -> Teams -> Mapped LDAP groups dialog, while OIDC groups are shown in its respective dialog. Morever, I did not see any ldap group searches in the debug log, while ldap user/group searches were clearly visible (with the above warning).

The difference between these two dialogs (LDAP groups and OIDC groups) is that

  • the former requires a search input to show any results
  • the latter does not (any search input does not even filter the already displayed results)

cpfeiffer avatar May 20 '25 15:05 cpfeiffer

So the log message Partial results returned has nothing to do with a "large response" at all. It means that LDAP would provide more (external) results to a search, but it does not.

IMHO: works as designed.

cpfeiffer avatar May 20 '25 15:05 cpfeiffer

For me using port 3269 instead of 389 actually solved the issue.

My users weren't automatically mapped to the teams if I used port 389 and i had these warning in my logs.
After changing it to ldaps:// and port 3269 the mapping started working and the warnings are gone.

However i still have 1 ldap user who is unable to login. The sync fails and it just says INVALID.

mcvermeulen avatar Jul 23 '25 10:07 mcvermeulen