Tickets :: [#10944] LDAP-specific user existence method in LDAP driver

6.0.0-beta1

7/5/25

Summary	LDAP-specific user existence method in LDAP driver
Queue	Horde Framework Packages
Queue Version	Git master
Type	Enhancement
State	Resolved
Priority	1. Low
Owners	jan (at) horde (dot) org
Requester	marco (at) csita (dot) unige (dot) it
Created	01/27/2012 (4908 days ago)
Due
Updated	02/01/2012 (4903 days ago)
Assigned
Resolved	01/30/2012 (4905 days ago)
Milestone
Patch	Yes

02/01/2012 08:25:35 PM	Git Commit	Comment #14	Reply to this comment
Changes have been made in Git (refs/heads/ajax_to_core): commit 5e798939890d0bf46aaefa30517c70c9034d631c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:22:26 2012 +0100 Fix catching exception, check if logger exists (~~Request #10944~~). framework/Auth/lib/Horde/Auth/Ldap.php \| 14 ++++++++------ 1 files changed, 8 insertions(+), 6 deletions(-) http://git.horde.org/horde-git/-/commit/5e798939890d0bf46aaefa30517c70c9034d631c

02/01/2012 08:25:20 PM	Git Commit	Comment #13	Reply to this comment
Changes have been made in Git (refs/heads/ajax_to_core): commit ec3f2fcc9afb02395eaf2e53c329687427baa93c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:18:36 2012 +0100 [jan] Add optimized exists() implementation to LDAP driver (Marco Ferrante <marco@csita.unige.it>, ~~Request #10944~~). framework/Auth/package.xml \| 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/ec3f2fcc9afb02395eaf2e53c329687427baa93c

02/01/2012 08:25:01 PM	Git Commit	Comment #12	Reply to this comment
Changes have been made in Git (refs/heads/ajax_to_core): commit fb0aea01f7b691df7c311c3c906712a51640fafb Author: Marco Ferrante <marco@csita.unige.it> Date: Fri Jan 27 11:23:04 2012 +0100 Implemented method exists() in Ldap driver Signed-off-by: Jan Schneider <jan@horde.org> ~~Bug: 10944~~ framework/Auth/lib/Horde/Auth/Ldap.php \| 36 ++++++++++++++++++++++++++++++++ 1 files changed, 36 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/fb0aea01f7b691df7c311c3c906712a51640fafb

01/30/2012 06:10:36 PM	Git Commit	Comment #11	Reply to this comment
Changes have been made in Git (refs/heads/develop): commit 5e798939890d0bf46aaefa30517c70c9034d631c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:22:26 2012 +0100 Fix catching exception, check if logger exists (~~Request #10944~~). framework/Auth/lib/Horde/Auth/Ldap.php \| 14 ++++++++------ 1 files changed, 8 insertions(+), 6 deletions(-) http://git.horde.org/horde-git/-/commit/5e798939890d0bf46aaefa30517c70c9034d631c

01/30/2012 06:10:19 PM	Git Commit	Comment #10	Reply to this comment
Changes have been made in Git (refs/heads/develop): commit ec3f2fcc9afb02395eaf2e53c329687427baa93c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:18:36 2012 +0100 [jan] Add optimized exists() implementation to LDAP driver (Marco Ferrante <marco@csita.unige.it>, ~~Request #10944~~). framework/Auth/package.xml \| 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/ec3f2fcc9afb02395eaf2e53c329687427baa93c

01/30/2012 06:10:02 PM	Git Commit	Comment #9	Reply to this comment
Changes have been made in Git (refs/heads/develop): commit fb0aea01f7b691df7c311c3c906712a51640fafb Author: Marco Ferrante <marco@csita.unige.it> Date: Fri Jan 27 11:23:04 2012 +0100 Implemented method exists() in Ldap driver Signed-off-by: Jan Schneider <jan@horde.org> ~~Bug: 10944~~ framework/Auth/lib/Horde/Auth/Ldap.php \| 36 ++++++++++++++++++++++++++++++++ 1 files changed, 36 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/fb0aea01f7b691df7c311c3c906712a51640fafb

01/30/2012 01:56:22 PM	marco (at) csita (dot) unige (dot) it	Comment #8	Reply to this comment
It should be used only in driver with hasCapability('list') true? And what should happen if it doesn't? Ok, I noticed that the check on hasCapability('list') is already implemented in the invoker side (e.g. the readPermsForm() method of the module Kronolith). Thus the problem is very LDAP-specific, because it supports user list but it could return a incomplete list. My patch should solve the problem.

01/30/2012 01:23:08 PM	Jan Schneider	Version ⇒ Git master Queue ⇒ Horde Framework Packages

01/30/2012 01:22:49 PM	Jan Schneider	Assigned to Jan Schneider State ⇒ Resolved

01/30/2012 01:22:44 PM	Git Commit	Comment #7	Reply to this comment
Changes have been made in Git (refs/heads/master): commit 5e798939890d0bf46aaefa30517c70c9034d631c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:22:26 2012 +0100 Fix catching exception, check if logger exists (~~Request #10944~~). framework/Auth/lib/Horde/Auth/Ldap.php \| 14 ++++++++------ 1 files changed, 8 insertions(+), 6 deletions(-) http://git.horde.org/horde-git/-/commit/5e798939890d0bf46aaefa30517c70c9034d631c

01/30/2012 01:22:41 PM	Git Commit	Comment #6	Reply to this comment
Changes have been made in Git (refs/heads/master): commit ec3f2fcc9afb02395eaf2e53c329687427baa93c Author: Jan Schneider <jan@horde.org> Date: Mon Jan 30 14:18:36 2012 +0100 [jan] Add optimized exists() implementation to LDAP driver (Marco Ferrante <marco@csita.unige.it>, ~~Request #10944~~). framework/Auth/package.xml \| 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/ec3f2fcc9afb02395eaf2e53c329687427baa93c

01/30/2012 01:22:37 PM	Git Commit	Comment #5	Reply to this comment
Changes have been made in Git (refs/heads/master): commit fb0aea01f7b691df7c311c3c906712a51640fafb Author: Marco Ferrante <marco@csita.unige.it> Date: Fri Jan 27 11:23:04 2012 +0100 Implemented method exists() in Ldap driver Signed-off-by: Jan Schneider <jan@horde.org> ~~Bug: 10944~~ framework/Auth/lib/Horde/Auth/Ldap.php \| 36 ++++++++++++++++++++++++++++++++ 1 files changed, 36 insertions(+), 0 deletions(-) http://git.horde.org/horde-git/-/commit/fb0aea01f7b691df7c311c3c906712a51640fafb

01/30/2012 01:06:49 PM	Jan Schneider	Comment #4	Reply to this comment
It's not wrong at all, it's a fallback method for any authentication driver that doesn't implement exists() natively. Ok, it doesn't work with RADIUS, Shibboleth, FTP, etc... and is suboptimal with LDAP and AD. Of course this fallback only works if the driver supports listing of user. Which still doesn't make it wrong. It should be used only in driver with hasCapability('list') true? And what should happen if it doesn't?

01/27/2012 04:10:54 PM	marco (at) csita (dot) unige (dot) it	Comment #3 New Attachment: 0001-Implemented-method-exists-in-Ldap-driver.patch	Reply to this comment
It's not wrong at all, it's a fallback method for any authentication driver that doesn't implement exists() natively. Ok, it doesn't work with RADIUS, Shibboleth, FTP, etc... and is suboptimal with LDAP and AD. It should be used only in driver with hasCapability('list') true? There was no patch attached. Sorry...

01/27/2012 12:00:01 PM	Jan Schneider	Comment #2 Priority ⇒ 1. Low State ⇒ Feedback	Reply to this comment
I think that this implementation of exists() is wrong (for LDAP backend, at least): It's not wrong at all, it's a fallback method for any authentication driver that doesn't implement exists() natively. The attached a patch for the Horde/Auth/Ldap.php file to handles exists() using an LDAP-specific implementation. There was no patch attached.

01/27/2012 10:42:45 AM	marco (at) csita (dot) unige (dot) it	Comment #1 Priority ⇒ 3. High State ⇒ New Patch ⇒ Yes Milestone ⇒ Summary ⇒ LDAP-specific user existence method in LDAP driver Type ⇒ Enhancement Queue ⇒ Horde Base	Reply to this comment
Currently, the exists() method in Horde_Auth_Ldap class is inherited from Horde_Auth_Base. It transfers via listUsers() the full user list from the LDAP backend and then check for the presence of the $userId in the resulting array . I think that this implementation of exists() is wrong (for LDAP backend, at least): - an LDAP system could have thousand of users, with only few using IMP webmail: it is useless and resource-demanding to transfer all users in order to check the presence of only one of them; - likely LDAP servers have some administrative limit in the size of a search result and the resulting list could be incomplete producing false negative in the presence check. It is possible this is the cause of ~~bug #7640~~. The attached a patch for the Horde/Auth/Ldap.php file to handles exists() using an LDAP-specific implementation.