From 4451fde0ca5f46c5dc5bb3dbfcf55e73fe84a78d Mon Sep 17 00:00:00 2001
From: AlanJager <ye.zou@zstack.io>
Date: Wed, 29 May 2024 13:14:36 +0800
Subject: [PATCH 1/2] <fix>[ldap]: add more global properties for ldap context
 source

Ldap.referral to set if query referral for ldap search

Ldap.connect.pool to set if use ldap pooling

Note: refer to ZSTAC-66029 if referral set to follow and Ldap/AD
server contains a entry refer to itself like:

dn: ou=referral test,dc=example,dc=com
objectClass: extensibleObject
objectClass: referral
objectClass: top
objectClass: person
ref: ldap://localhost:10389/dc=example,dc=com

Will let jdk failed to finish search util stack over flow. So change
it to be configurable, once hit the issue just configure it to
ignore to avoid this issue. More details could refer to
https://bugs.openjdk.org/browse/JDK-8176553

GlobalPropertyImpact

Resolves: ZSTAC-66029

Change-Id: I77647176616e6c6d6a6a677870786e796675716c
---
 .../src/main/java/org/zstack/ldap/LdapGlobalProperty.java | 6 ++++++
 plugin/ldap/src/main/java/org/zstack/ldap/LdapUtil.java   | 8 ++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/plugin/ldap/src/main/java/org/zstack/ldap/LdapGlobalProperty.java b/plugin/ldap/src/main/java/org/zstack/ldap/LdapGlobalProperty.java
index 1caf8c2de07..5fd78fba8b7 100755
--- a/plugin/ldap/src/main/java/org/zstack/ldap/LdapGlobalProperty.java
+++ b/plugin/ldap/src/main/java/org/zstack/ldap/LdapGlobalProperty.java
@@ -13,4 +13,10 @@ public class LdapGlobalProperty {
 
     @GlobalProperty(name = "Ldap.addServer.readTimeout", defaultValue = "5000")
     public static int LDAP_ADD_SERVER_READ_TIMEOUT;
+
+    @GlobalProperty(name = "Ldap.referral", defaultValue = "follow")
+    public static String LDAP_REFERRAL;
+
+    @GlobalProperty(name = "Ldap.connect.pool", defaultValue = "false")
+    public static boolean LDAP_CONNECT_POOL;
 }
diff --git a/plugin/ldap/src/main/java/org/zstack/ldap/LdapUtil.java b/plugin/ldap/src/main/java/org/zstack/ldap/LdapUtil.java
index 2b4c22d3eda..1f5e1df7cf8 100644
--- a/plugin/ldap/src/main/java/org/zstack/ldap/LdapUtil.java
+++ b/plugin/ldap/src/main/java/org/zstack/ldap/LdapUtil.java
@@ -1,6 +1,7 @@
 package org.zstack.ldap;
 
 import org.apache.commons.lang.StringUtils;
+import org.apache.logging.log4j.util.Strings;
 import org.springframework.ldap.NamingException;
 import org.springframework.ldap.control.PagedResultsDirContextProcessor;
 import org.springframework.ldap.core.DirContextOperations;
@@ -167,8 +168,11 @@ LdapContextSource buildLdapContextSource(LdapServerInventory inv, Map<String, Ob
             }
         }
         ldapContextSource.setCacheEnvironmentProperties(false);
-        ldapContextSource.setPooled(false);
-        ldapContextSource.setReferral("follow");
+        ldapContextSource.setPooled(LdapGlobalProperty.LDAP_CONNECT_POOL);
+
+        if (!Strings.isEmpty(LdapGlobalProperty.LDAP_REFERRAL)) {
+            ldapContextSource.setReferral(LdapGlobalProperty.LDAP_REFERRAL);
+        }
 
         if (baseEnvironmentProperties != null && !baseEnvironmentProperties.isEmpty()) {
             ldapContextSource.setBaseEnvironmentProperties(baseEnvironmentProperties);

From c455b0ab7e788b04d67cb7e85b8a008c17e98057 Mon Sep 17 00:00:00 2001
From: AlanJager <ye.zou@zstack.io>
Date: Wed, 29 May 2024 13:31:52 +0800
Subject: [PATCH 2/2] <test>[ldap]: test ldap search with different referral

1. test follow refereral and check reference count

2. test ignore referral and check reference count

Resolves: ZSTAC-66029

Change-Id: I786c6b687271786b7069666a677a6567786d6e6a
---
 .../unittest/ldap/TestLdapSearchCase.java     | 78 +++++++++++++++++++
 test/src/test/resources/users-import.ldif     |  9 ++-
 2 files changed, 86 insertions(+), 1 deletion(-)
 create mode 100644 test/src/test/groovy/org/zstack/test/unittest/ldap/TestLdapSearchCase.java

diff --git a/test/src/test/groovy/org/zstack/test/unittest/ldap/TestLdapSearchCase.java b/test/src/test/groovy/org/zstack/test/unittest/ldap/TestLdapSearchCase.java
new file mode 100644
index 00000000000..85ba97041e5
--- /dev/null
+++ b/test/src/test/groovy/org/zstack/test/unittest/ldap/TestLdapSearchCase.java
@@ -0,0 +1,78 @@
+package org.zstack.test.unittest.ldap;
+
+import com.unboundid.ldap.sdk.*;
+import org.junit.ClassRule;
+import org.junit.Test;
+import org.zapodot.junit.ldap.EmbeddedLdapRule;
+import org.zapodot.junit.ldap.EmbeddedLdapRuleBuilder;
+
+import java.util.Arrays;
+
+public class TestLdapSearchCase {
+    public static String DOMAIN_DSN = "dc=example,dc=com";
+
+    static {
+        System.setProperty("com.unboundid.ldap.sdk.debug.enabled", "true");
+        System.setProperty("com.unboundid.ldap.sdk.debug.level", "FINEST");
+        System.setProperty("com.unboundid.ldap.sdk.LDAPConnectionOptions.followReferrals", "true");
+    }
+
+    @ClassRule
+    public static EmbeddedLdapRule embeddedLdapRule = EmbeddedLdapRuleBuilder
+            .newInstance()
+            .usingDomainDsn("dc=example,dc=com")
+            .importingLdifs("users-import.ldif")
+            .bindingToPort(10389)
+            .build();
+
+    @Test
+    public void testLdapWithIgnore() {
+        try (LDAPConnection ldapConnection = embeddedLdapRule.unsharedLdapConnection()) {
+            ldapConnection.getConnectionOptions().setFollowReferrals(false);
+            SearchResult searchResult = ldapConnection.search(
+                    DOMAIN_DSN,
+                    SearchScope.SUB,
+                    "(objectclass=*)");
+
+            System.out.printf("Found %d entries%n", searchResult.getEntryCount());
+            for (SearchResultEntry entry : searchResult.getSearchEntries()) {
+                System.out.println(entry.getDN());
+                for (Attribute attribute : entry.getAttributes()) {
+                    System.out.printf("  %s: %s%n", attribute.getName(), attribute.getValue());
+                }
+            }
+
+            System.out.println("Found referral URLs:" + Arrays.toString(searchResult.getReferralURLs()));
+            assert searchResult.getEntryCount() == 6;
+        } catch (Exception e) {
+            assert false : "Unexpected error during testLdapWithIgnore";
+        }
+    }
+
+    @Test
+    public void testLdapWithReferral() throws LDAPException {
+        try (LDAPConnection ldapConnection = embeddedLdapRule.unsharedLdapConnection()) {
+            ldapConnection.getConnectionOptions().setFollowReferrals(true);
+            SearchResult searchResult = ldapConnection.search(
+                    DOMAIN_DSN,
+                    SearchScope.SUB,
+                    "(objectclass=*)");
+
+            System.out.printf("Found %d entries%n", searchResult.getEntryCount());
+            for (SearchResultEntry entry : searchResult.getSearchEntries()) {
+                System.out.println(entry.getDN());
+                for (Attribute attribute : entry.getAttributes()) {
+                    System.out.printf("  %s: %s%n", attribute.getName(), attribute.getValue());
+                }
+            }
+
+            System.out.println("Found referral URLs:" + Arrays.toString(searchResult.getReferralURLs()));
+            assert searchResult.getReferenceCount() == 1024;
+        } catch (StackOverflowError e) {
+            System.out.print("stack over flow expected");
+            return;
+        }
+
+        assert false : "Unexpected here";
+    }
+}
diff --git a/test/src/test/resources/users-import.ldif b/test/src/test/resources/users-import.ldif
index a9194dd0d2a..4951536cb42 100644
--- a/test/src/test/resources/users-import.ldif
+++ b/test/src/test/resources/users-import.ldif
@@ -42,4 +42,11 @@ objectClass: inetOrgPerson
 cn: John Steinbeck
 sn: Steinbeck
 uid: jsteinbeck
-userPassword: password
\ No newline at end of file
+userPassword: password
+
+dn: ou=referral test,dc=example,dc=com
+objectClass: extensibleObject
+objectClass: referral
+objectClass: top
+objectClass: person
+ref: ldap://localhost:10389/dc=example,dc=com
\ No newline at end of file