From 3d45d61185cfd714a9e733af8a9027c0524d1496 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Wed, 17 May 2023 19:24:24 -0400 Subject: [PATCH] Correct Default for MaximumPageSize (#20453) (#20638) * default max page size for config * Add changelog * update test int to *int * add testing defaults * update default to -1, i.e. dont paginate * update test * Add error message for invalid search * Make 0 the default * cleanup * Add to known issues doc * Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx * Update website/content/docs/upgrading/upgrade-to-1.11.x.mdx * Update website/content/docs/upgrading/upgrade-to-1.13.x.mdx * Update website/content/docs/upgrading/upgrade-to-1.12.x.mdx * Add workaround to docs * Update changelog/20453.txt --------- Co-authored-by: Luis (LT) Carbonell Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> Co-authored-by: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> --- changelog/20453.txt | 3 +++ sdk/helper/ldaputil/client.go | 2 +- sdk/helper/ldaputil/config.go | 5 ++--- sdk/helper/ldaputil/config_test.go | 2 +- website/content/api-docs/auth/ldap.mdx | 5 ++--- website/content/docs/auth/ldap.mdx | 2 +- .../docs/upgrading/upgrade-to-1.11.x.mdx | 17 ++++++++++++++++- .../docs/upgrading/upgrade-to-1.12.x.mdx | 17 ++++++++++++++++- 8 files changed, 42 insertions(+), 11 deletions(-) create mode 100644 changelog/20453.txt diff --git a/changelog/20453.txt b/changelog/20453.txt new file mode 100644 index 000000000000..e605791bc6b5 --- /dev/null +++ b/changelog/20453.txt @@ -0,0 +1,3 @@ +```release-note:bug +auth/ldap: Set default value for `max_page_size` properly +``` diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index 0633cfe21c5e..bbdca9a4e6a8 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -536,7 +536,7 @@ func (c *Client) GetLdapGroups(cfg *ConfigEntry, conn Connection, userDN string, if cfg.UseTokenGroups { entries, err = c.performLdapTokenGroupsSearch(cfg, conn, userDN) } else { - if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize >= 0 { + if paging, ok := conn.(PagingConnection); ok && cfg.MaximumPageSize > 0 { entries, err = c.performLdapFilterGroupsSearchPaging(cfg, paging, userDN, username) } else { entries, err = c.performLdapFilterGroupsSearch(cfg, conn, userDN, username) diff --git a/sdk/helper/ldaputil/config.go b/sdk/helper/ldaputil/config.go index 80d5c55ea6e7..041ed0704ae0 100644 --- a/sdk/helper/ldaputil/config.go +++ b/sdk/helper/ldaputil/config.go @@ -6,7 +6,6 @@ import ( "encoding/pem" "errors" "fmt" - "math" "strings" "text/template" @@ -236,8 +235,8 @@ Default: ({{.UserAttr}}={{.Username}})`, "max_page_size": { Type: framework.TypeInt, - Description: "The maximum number of results to return for a single paged query. If not set, the server default will be used for paged searches. A requested max_page_size of 0 is interpreted as no limit by LDAP servers. If set to a negative value, search requests will not be paged.", - Default: math.MaxInt32, + Description: "If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control.", + Default: 0, }, } } diff --git a/sdk/helper/ldaputil/config_test.go b/sdk/helper/ldaputil/config_test.go index 3a169ef81687..c0a57253ce7d 100644 --- a/sdk/helper/ldaputil/config_test.go +++ b/sdk/helper/ldaputil/config_test.go @@ -171,7 +171,7 @@ var jsonConfigDefault = []byte(` "username_as_alias": false, "request_timeout": 90, "connection_timeout": 30, - "max_page_size": 2147483647, + "max_page_size": 0, "CaseSensitiveNames": false, "ClientTLSCert": "", "ClientTLSKey": "" diff --git a/website/content/api-docs/auth/ldap.mdx b/website/content/api-docs/auth/ldap.mdx index 0f858ce6abbd..0ad5fd920ff0 100644 --- a/website/content/api-docs/auth/ldap.mdx +++ b/website/content/api-docs/auth/ldap.mdx @@ -94,11 +94,10 @@ This endpoint configures the LDAP auth method. returning _user_ objects, use: `memberOf`. The default is `cn`. - `username_as_alias` `(bool: false)` - If set to true, forces the auth method to use the username passed by the user as the alias name. -- `max_page_size` `(int: math.MaxInt32)` - If set to a value greater than 0, the LDAP +- `max_page_size` `(int: 0)` - If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's - maximum result size limit. A value of 0 will be interpreted by the LDAP - server as unlimited. If set to -1, the LDAP backend will not use the + maximum result size limit. Otherwise, the LDAP backend will not use the paged search control. @include 'tokenfields.mdx' diff --git a/website/content/docs/auth/ldap.mdx b/website/content/docs/auth/ldap.mdx index 6e24448bf9b9..9cb4b0aa50ba 100644 --- a/website/content/docs/auth/ldap.mdx +++ b/website/content/docs/auth/ldap.mdx @@ -152,7 +152,7 @@ Use `vault path-help` for more details. ### Other - `username_as_alias` (bool, optional) - If set to true, forces the auth method to use the username passed by the user as the alias name. -- `max_page_size` (int, optional) - The maximum number of results to return for a single LDAP query. This is useful for preventing large queries from being run against the LDAP server. The default is the maximum value for an int32. +- `max_page_size` (int, optional) - If set to a value greater than 0, the LDAP backend will use the LDAP server's paged search control to request pages of up to the given size. This can be used to avoid hitting the LDAP server's maximum result size limit. Otherwise, the LDAP backend will not use the paged search control. ## Examples: diff --git a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx index 1410295803ce..0a03292518d6 100644 --- a/website/content/docs/upgrading/upgrade-to-1.11.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.11.x.mdx @@ -27,4 +27,19 @@ API path by setting the [bool config option](/api-docs/secret/databases/elasticd @include 'raft-retry-join-failure.mdx' -@include 'tokenization-rotation-persistence.mdx' \ No newline at end of file +@include 'tokenization-rotation-persistence.mdx' + +### LDAP Pagination Issue + +There was a regression introduced in 1.11.10 relating to LDAP maximum page sizes, resulting in +an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`. The issue +occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration. + +As a workaround, disable paged searching using the following: +```shell-session +vault write auth/ldap/config max_page_size=-1 +``` + +#### Impacted Versions + +Affects Vault 1.11.10. diff --git a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx index 9df1bbd85c90..2d24e06f1493 100644 --- a/website/content/docs/upgrading/upgrade-to-1.12.x.mdx +++ b/website/content/docs/upgrading/upgrade-to-1.12.x.mdx @@ -152,7 +152,7 @@ It will produce errors in Vault Server's logs such as: error= | 1 error occurred: | * panic generating audit log - | + | ``` As a workaround, [listing plugins by type](/api-docs/system/plugins-catalog#list-plugins-1) @@ -184,3 +184,18 @@ Affects version 1.12.3. A fix will be released in 1.12.4. @include 'tokenization-rotation-persistence.mdx' @include 'ocsp-redirect.mdx' + +### LDAP Pagination Issue + +There was a regression introduced in 1.12.6 relating to LDAP maximum page sizes, resulting in +an error `no LDAP groups found in groupDN [...] only policies from locally-defined groups available`. The issue +occurs when upgrading Vault with an instance that has an existing LDAP Auth configuration. + +As a workaround, disable paged searching using the following: +```shell-session +vault write auth/ldap/config max_page_size=-1 +``` + +#### Impacted Versions + +Affects Vault 1.12.6.