[python-ldap] LDAP pagination cookie not working across AD server restart
Michael Ströder
michael at stroeder.com
Thu Jan 5 13:56:23 EST 2017
Ritesh Nadhani wrote:
> I am writing a script that would poll an AD with 250K user
> information. It looks something like (from which I took code
> inspiration):
>
> https://gist.github.com/mattfahrner/c228ead9c516fc322d3a
So you're using the Simple Paged Control (see RFC 2696):
https://tools.ietf.org/html/rfc2696
> To be resilient of server restarts and my app crashing, I am writing
> the cookie into a file and reading it from there in the next
> iteration.
Hmm...
> Everything works and even my script crashes, on restart it picks up
> the right cookie file from storage and starts from the correct offset
> (ignoring users that have already been fetched).
I wonder why this works in your case.
In general I doubt that it's guaranteed to work.
> The problem seems to be that, while the operation is going on if I
> restart the server, I get SERVER_DOWN exception, on which case I just
> re-setup the connection again after the server is back and continue on
> the loop. Unfortunately, in this case, using the older cookie gives
> me:
>
> UNAVAILABLE_CRITICAL_EXTENSION: {'info': '00000057: LdapErr:
> DSID-0C0907B8, comment: Error processing control, data 0, v2580',
> 'desc': 'Critical extension is unavailable'}
>
> ..
>
> and I cannot figure out the issue. The cookie way works brilliant if
> my app and the network IO behaves correctly. If my app crashes, I can
> restart and reuse the cookie with a new connection object.
>
> But if I restart the AD server itself, reconnecting and using the
> cookie does not work.
In general I would never expect this (both cases) to work since the server can
throw away any context of your former stale LDAP connection. The first case may
work with AD but likely does not work with other LDAP servers. AFAICS there is
no text in RFC 2696 clarifying this.
I wonder why AD returns UNAVAILABLE_CRITICAL_EXTENSION though. But hey, RFC 2696
uses pretty blurry text like "it SHOULD return the appropriate error".
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3829 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20170105/32a835b7/attachment.bin>
More information about the python-ldap
mailing list