[37]   Issue Tracker and AUTH:AD authentication

Creator: Daniel Lindgren Created: 2012-01-14 8:39:48
Assigned to: Taggic Modified: 2012-08-24 11:55:11
Severity: Minor Minor Project: fcon_project
Status: Solved Solved
Product: Issue Tracker Begin:
Version: Current as of 2012-01-14 Deadline:
Component: Progress in %:
Target version:
Test blocking: YES
Creator Details
Initial description
If you use AUTH:AD as authentication backend in DokuWiki you will run inte problems with Issue Tracker if you have more than 1000 objects in Active Directory. This is not Issue Tracker's or AUTH:AD/adLDAP's fault, it is a known problem with PHP's LDAP extension.

See http://adldap.sourceforge.net/wiki/doku.php?id=api_pagingsupport

You can work around this PHP bug by increasing the MaxPageSize value in Active Directory (see http://support.microsoft.com/kb/315071), but make sure you know what problems that may cause (Microsoft Exchange BPA etc).
Workaround

Comments (work log)
       
Hi Daniel,

thanks a lot for the ticket and root cause analysis incl. workaround and links to further descriptions. That's very appreciated. As it is not a bug of IssueTracker I will put your info into the FAQ section here and on DokuWiki org.

Finally I will set the request to solved.

Thanks and best regrds
Taggic
           
I just switch to Widnwos 2008 for AD with about 500 users few days ago.
I found that I can see the Report page , and it works ok.
But I can not see the Issue List page, it just doesnt show up.
I changed the MaxPageSize value to 10000, but still no working.
Anything I should do for it more? or any way I should test it?
Thank you

Ian ko
           
Hi Taggic,

There is a plugin, called Doodle2, http://www.dokuwiki.org/plugin:doodle2?s[]=doodle
It also cache user name and id , but the funny thing is that it works fine in windows 2008 AD auth.
Due to my need(I need the timestamp) , so I changed one code , just add the date()
$this->doodle["$fullname"]['username'] = strstr ($_SERVER['REMOTE_USER'], '(').date ("m/d-H:i");
what i want to say is that because I try to read the code for the timestamp, so I found the function he used.
Manybe you can try to use the function as what he did $_SERVER['REMOTE_USER'] to got username and id
This would make use for all the AD auth users.

ps.it has a bug, so you have to installed it , and manuly change the folder from doodle2 to doodle
       
When I was troubleshooting the problem I found two recommendations:


the description in the Issue Tracker,
That was coming from Dali, not me...it would be great to change the auther.
       
was coming from Dali

Ah, ok I modified this.

$_SERVER['REMOTE_USER'] does deliver the current user and I used it (mybe in another plugin, I've to check). I have to look deeper into the code to check if that is enough due to we need also groups and other users not currently logged in but member of e.g. assignee group.
       
Have you checked following DokuWiki forum topic ?
Active Directory SSO Working Configs

This provides configurations and extends the AD guide and the LDAP guide.
       
I assume that you have configured your AUTH:AD poperly and that DokuWiki provide that info by core functions.
The only point where more than one user record is requested is on groups ($auth->retrieveUsers(0,0,$filter);) wher filter is an array of the groups you configured as assignees.

Question:
  1. What are the values you configured at issue tracker for plugin»issuetracker»assign ?
  2. How many users are member of these groups ?
           
Taggic, I do not think the filter option has any limiting effect. This is the beginning of retrieveUsers in ad.class.php:


* @param start index of first user to be returned
* @param limit max number of users to be returned

* @param filter array of field/pattern pairs, null for no filter

* @return array of userinfo (refer getUserData for internal userinfo details)
*/

function retrieveUsers($start=0,$limit=-1,$filter=array()) {

if(!$this->_init()) return false;

if ($this->users === null) {

//get info for given user

$result = $this->adldap->all_users();

...

And this is the description of all_users function in adLDAP.php:

/**
* Return a list of all users in AD
*

* @param bool $include_desc Return a description of the user

* @param string $search Search parameter

* @param bool $sorted Sort the user accounts

* @return array
*/

A call to retrieveUsers will try to get all users from AD, which causes a problem if you have more than 1000 users.

This is the warning message from PHP that I added to the FAQ section of Issue Tracker's plugin page at dokuwiki.org (it has since been removed):

PHP Warning: ldap_search() [<a href='function.ldap-search'>function.ldap-search</a>]: Partial search results returned: Sizelimit exceeded. in /var/www/html/dokuwiki/inc/adLDAP.php


During testing I removed the retrieveUsers calls from Issue Tracker and the plugin started working (albeit without users in the drop down lists). Perhaps there could be a configuration option for Issue Tracker that deactivates all use of retreiveUsers and replaces the drop down lists with simple text input fields? You'd have to add user name manually for the issue, but at least it would work in an environment where AUTH:AD is used.


The real solution would of course be that the PHP community adds paging support to the LDAP extension, but since the problem has been known for 7(!) years with pretty much no progress, it doesn't look promising.


EDIT: There are some issue with line breaks in Issue Tracker that mangles the text in comments, I have to add double line breaks to get one.
       
Perhaps there could be a configuration option for Issue Tracker that deactivates all use of retreiveUsers and replaces the drop down lists with simple text input fields? You'd have to add user name manually for the issue, but at least it would work in an environment where AUTH:AD is used.

Seems the only option we have. I will add a config parameter like AUTH:AD overflow. If that is checked then IssueTracker will provide a text edit instead of drop down list and does not ask AD for group members.
       
There are a lot of dependencies and I'm not sure if I found all and modified it properly for AUTH:AD.
Please check Test Build for Issue 37 and let me know if that is a step into the right direction. Basic assumption is that the current logged in user is determined already and only the groups to be ignored. Ther are some further dependencies for resolving user mails and groups or names. All I have found I switched to a behavior reasonable from my current understanding. AUTH:AD modifications will become part of next release if I do not find any mismatch with current code and functions.
       
I've done some initial testing with the above build and it looks promising, no errrors and no blank pages ... :thumbsup:
       
Thank you for that great news. I included the adds also to the built of 2012-02-22, together with some other modifications mostly part of the intermediate built you already have. If you find something is wrong then please open a ticket here. It will be handled within the master branch, what makes it easier for me to follow up.

There are some issue with line breaks in Issue Tracker that mangles the text in comments, I have to add double line breaks to get one.

It should be very similar to the DokuWiki editor but I will keep an eye on it.
       
There are some issue with line breaks in Issue Tracker that mangles the text in comments, I have to add double line breaks to get one.

I have updated the code to solve this issue. It will be released today or tomorrow. Unfortunately the formerly entered double line feeds will now be shown as such.
       
I just wanted to let you guys know, that pagination has benn added to PHP's LDAP extension.
https://bugs.php.net/bug.php?id=42060
Meaning: PHP 5 >= 5.4.0 has gotten 2 new functions:
http://fr2.php.net/manual/en/function.ldap-control-paged-result.php
http://fr2.php.net/manual/en/function.ldap-control-paged-result-response.php
Resolution
2012-03-20
Please Sign in if you want to add a comment or resolution note.
issuetracker/issuelist.txt · Last modified: 2014/04/30 09:36 (external edit)

This Wiki is hosted and ruled by Policies of Frister Consultancy Services.
By using this wiki you accept these rules. -> Impressum