KEYCLOAK-19036 Avoid infinite loop during LDAP sync with OpenLDAP and olcSizeLimit

Signed-off-by: Thomas Darimont <thomas.darimont@googlemail.com>
2021-08-11 17:09:13 +02:00 · 2021-08-11 17:09:13 +02:00 · f9b4e47851
commit f9b4e47851
parent 418d1e3471
1 changed files with 8 additions and 0 deletions
--- a/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java
+++ b/federation/ldap/src/main/java/org/keycloak/storage/ldap/idm/store/ldap/LDAPOperationManager.java
@ -320,6 +320,14 @@ public class LDAPOperationManager {
                                    identityQuery.getPaginationContext().setCookie(cookie);
                                }
                            }
+                        } else {
+                            /*
+                             * This ensures that PaginationContext#hasNextPage() will return false if we don't get ResponseControls back
+                             * from the LDAP query response. This helps to avoid an infinite loop in org.keycloak.storage.ldap.LDAPUtils.loadAllLDAPObjects
+                             * See KEYCLOAK-19036
+                             */
+                            identityQuery.getPaginationContext().setCookie(null);
+                            logger.warnf("Did not receive response controls for paginated query using DN [%s], filter [%s]. Did you hit a query result size limit?", baseDN, filter);
                        }

                        return result;