Fix ldap search with pagination bug

When making a ldap search, the pagination was managed both by the ldap search library and the calling code.
This lead to a fatal error when the number of results exceeded the page size.
This issue has been fixed by removing the pagination management in the calling code. The pagination is thus managed only by the ldap library

Author: Joël-Franck HOSSIE

internal/ldap/calls.go

@@ -75,19 +75,11 @@ func (c *LDAPClient) Query(request ldap.SearchRequest) ([]*ldap.Entry, error) {
 	}
 	defer conn.Close()
 
-	var allResults []*ldap.Entry
-	for {
-		results, err := conn.SearchWithPaging(&request, c.PageSize)
-		if err != nil {
-			return nil, fmt.Errorf("error searching in LDAP with request %v, %v", request, err)
-		}
-		allResults = append(allResults, results.Entries...)
-		if len(results.Entries) < int(c.PageSize) {
-			break
-		}
-		request.Controls = results.Controls
+	results, err := conn.SearchWithPaging(&request, c.PageSize)
+	if err != nil {
+		return nil, fmt.Errorf("error searching in LDAP with request %v, %v", request, err)
 	}
-	return allResults, nil
+	return results.Entries, err
 }
 
 func (c *LDAPClient) getGroupsContainingUser(userDN string) ([]*ldap.Entry, error) {

internal/ldap/projectname-from-ldap.go

@@ -12,7 +12,6 @@ func (c *LDAPClient) getProjectGroups() ([]string, error) {
 		BaseDN:       c.GroupBase,
 		Scope:        ldap.ScopeWholeSubtree,
 		DerefAliases: ldap.NeverDerefAliases,
-		SizeLimit:    0, // limit number of entries in result, 0 values means no limitations
 		TimeLimit:    30,
 		TypesOnly:    false,
 		Filter:       "(|(objectClass=groupOfNames)(objectClass=group))", // filter default format : (&(objectClass=groupOfNames)(member=%s))

test/e2e/bootstrap-fixtures-test-e2e.sh

@@ -13,6 +13,11 @@ if [ ! "$GITHUB_ACTIONS" = "true" ]; then
   export http_proxy=${PROXY_URL}
   export https_proxy=${PROXY_URL}
 fi
+#Ldap
+
+LDAP_IMAGE="docker-remote.registry.saas.cagip.group.gca/bitnamilegacy/openldap:2.6.10-debian-12-r4"
+docker pull ${LDAP_IMAGE}
+
 
 # KIND CLUSTER CREATION
 kind delete cluster --name test-e2e-kubi
@@ -22,9 +27,11 @@ kind create cluster --name test-e2e-kubi --config test/e2e/conf/kind/cluster-kin
 helm repo add helm-openldap https://jp-gouin.github.io/helm-openldap/
 
 # Create configmap containing ldif file
-kubectl -n kube-system apply -f test/e2e/conf/openldap/config.yaml
-helm upgrade --install openldap helm-openldap/openldap-stack-ha  -f test/e2e/conf/openldap/myvalues.yaml --namespace kube-system
-# We wait 30s for Openldap to pop otherwise, Kubi tries to connect to it directly, 
+kind load docker-image --name test-e2e-kubi ${LDAP_IMAGE}
+INSTALL_FOLDER_LDAP="test/e2e/conf/openldap"
+kubectl apply -f ${INSTALL_FOLDER_LDAP}/config.yaml
+kubectl apply -f ${INSTALL_FOLDER_LDAP}/deploy.yaml
+# We wait 60s for Openldap to pop otherwise, Kubi tries to connect to it directly, 
 # fails to open a connection and waits for a new reconciliation loop to occur, 
 # which makes the fail test, due to 30s timeout (in e2e_test.go file.)
 
@@ -37,7 +44,7 @@ sleep 60
 # kubi-encryption-secret -> the PKI which signs the tokens
 # kubi -> i think it's the authn cert to api server. Unsure
 
-kubectl -n kube-system create secret generic kubi-secret  --from-literal ldap_passwd='Not@SecurePassw0rd'
+kubectl -n kube-system create secret generic kubi-secret  --from-literal ldap_passwd='adminpassword'
 ./scripts/generate_ecdsa_keys.sh
 kubectl -n kube-system create secret generic kubi-encryption-secret --from-file=/tmp/kubi/ecdsa/ecdsa-key.pem --from-file=/tmp/kubi/ecdsa/ecdsa-public.pem
 

test/e2e/conf/kubi/configmap.yaml

@@ -5,13 +5,13 @@ data:
   LDAP_ADMIN_GROUPBASE: CN=ADMIN_KUBERNETES,OU=TEAMS,OU=Groups,DC=example,DC=org
   LDAP_ADMIN_USERBASE: OU=Users,DC=example,DC=org
   LDAP_APP_GROUPBASE: CN=CAGIP_MEMBERS,OU=TEAMS,OU=Groups,DC=example,DC=org
-  LDAP_BINDDN: CN=admin,DC=example,DC=org # Not like that , should container O=Example but does not work for some reason 
+  LDAP_BINDDN: CN=admin,DC=example,DC=org # Not like that , should container O=Example but does not work for some reason
   LDAP_CUSTOMER_OPS_GROUPBASE: CN=DL_KUB_CAGIPHP_OPS,OU=HORS-PROD,OU=CAGIP,OU=CONTAINER,OU=Groups,DC=example,DC=org
   LDAP_GROUPBASE: OU=HORS-PROD,OU=CAGIP,OU=CONTAINER,OU=Groups,DC=example,DC=org
   LDAP_OPS_GROUPBASE: CN=CLOUDOPS_KUBERNETES,OU=TEAMS,OU=Groups,DC=example,DC=org
   LDAP_PORT: "389"
   LDAP_ELIGIBLE_GROUPS_PARENTS: OU=CONTAINER,OU=Groups,DC=example,DC=org|OU=TEAMS,OU=Groups,DC=example,DC=org
-  LDAP_PAGE_SIZE: "500"
+  LDAP_PAGE_SIZE: "2"
   LDAP_SERVER: openldap.kube-system.svc.cluster.local
   LDAP_SERVICE_GROUPBASE: CN=DL_KUB_TRANSVERSAL_SERVICE,OU=CONTAINER,OU=Groups,DC=example,DC=org
   LDAP_USE_SSL: "false"

test/e2e/conf/openldap/config.yaml

@@ -384,4 +384,5 @@ data:
 kind: ConfigMap
 metadata:
   name: ldapconf
+  namespace: kube-system
 

test/e2e/conf/openldap/deploy.yaml

@@ -0,0 +1,52 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: openldap
+  name: openldap
+  namespace: kube-system
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: openldap
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: openldap
+    spec:
+      volumes: 
+        - name: "ldapconfig"
+          configMap:
+            name: ldapconf
+      containers:
+      - image: docker-remote.registry.saas.cagip.group.gca/bitnamilegacy/openldap:2.6.10-debian-12-r4
+        imagePullPolicy: IfNotPresent
+        name: openldap
+        env:
+        - name: LDAP_ROOT
+          value: "dc=example,dc=org"
+        volumeMounts:
+        - name: ldapconfig
+          mountPath: /ldifs
+        resources: {}
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: openldap
+  name: openldap
+  namespace: kube-system
+spec:
+  ports:
+  - port: 389
+    protocol: TCP
+    targetPort: 1389
+  selector:
+    app: openldap
+status:
+  loadBalancer: {}