Allow LDAP search users with *term* #45555
Conversation
|
My commit is not in the context of Arawa company. How can i have two different sign-offs ? |
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
| @@ -1564,7 +1564,7 @@ private function prepareSearchTerm(string $term): string { | |||
| if ($term === '') { | |||
| $result = '*'; | |||
| } elseif ($allowEnum !== 'no') { | |||
| $result = $term . '*'; | |||
| $result = '*' . $term . '*'; | |||
There was a problem hiding this comment.
It is on purpose, yes. There should be a related issue and PR in this repo, too.
There was a problem hiding this comment.
I read some supposed performance limitations on big LDAP organisations. But:
- all i read on LDAP documentation never mention "don't do term" as it is even described in the main documentation.
- this might be based on old benchmarks on bad LDAP system
- why is the "*" allowed that will send "all users" in that case ?
- the SQL part does the term and nobody asked to remove this for performance reason
- this is very very confusing for the user experience (i thought this was a bug and i lost hours searching what was wrong with my LDAP until i debug in PHP)
In conclusion, at least, why presuming all ldap are made with millions of users ? Why not let users have the same behaviour between LDAP and NextCloud ? And maybe bring an LDAP option "don't allow term because my ldap is too slow" if someone complain for it ?
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Fix nextcloud#11540 and nextcloud#14153 Signed-off-by: Sebastien Marinier <seb@smarinier.net>
smarinier
force-pushed
the
fix/11540/user_ldap_search_partial_not_efficient
branch
from
08fe4e2
to
8621eba
Compare
This comment was marked as resolved.
This comment was marked as resolved.
There was a problem hiding this comment.
If you make it a config option, maybe, but we cannot merge this as-is.
I do not have the details about when the decision was first taken, and I agree that with a good LDAP setup wildcard search is not an issue, but there is a lot of code in Nextcloud which is made to account for badly configured LDAP server, this is not the only place.
Fix #11540 and #14153
Fix #11540 and #14153
This issues were close, but because the user "didn't use NextCloud anymore"
Summary
In Database User Backend, search is based on "term". But in LDAP, it's only "term*". This is confusing for user experience.
TODO
Checklist
Code is properly formatted
Sign-off message is added to all commits
[ X] Tests (unit, integration, api and/or acceptance) are included
[0] Screenshots before/after for front-end changes
No front change
[0] Documentation (manuals or wiki) has been updated or is not required
This behaviour is not described in documentation
[0] Backports requested where applicable (ex: critical bugfixes)