205hlab-mirrors/authentik
2
0
Fork 0
mirror of https://github.com/goauthentik/authentik.git synced 2026-06-17 19:09:11 +03:00
Code Issues Packages Projects Releases Wiki Activity

sources/ldap: catch Google LDAP rate-limit errors during schema fetch (#21638)

Browse Source 
When connecting to Google Secure LDAP, the ldap3 library fetches schema
info during bind() with get_info=ALL. Google rate-limits these schema
queries, raising LDAPAdminLimitExceededResult, and also returns
unsupported attributes, raising LDAPAttributeError.

The existing fallback logic retries with get_info=NONE but only catches
LDAPSchemaError and LDAPInsufficientAccessRightsResult. Add the two
missing exception types so the fallback works for Google Secure LDAP.

Fixes sync failures when using Google Secure LDAP as a federation source,
where every sync page task opens a new connection and the concurrent
schema fetches exhaust Google's rate budget.
This commit is contained in:
Marcus Pamelia
2026-04-16 13:58:08 +02:00
committed by GitHub
parent 404570a4d2
commit b3e7a01f10
1 changed files with 16 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
authentik/sources/ldap/models.py
+16 -3
View File
@@ -12,7 +12,13 @@ from django.db import connection, models
from django.templatetags.static import static
from django.utils.translation import gettext_lazy as _
from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
from ldap3.core.exceptions import (
LDAPAdminLimitExceededResult,
LDAPAttributeError,
LDAPException,
LDAPInsufficientAccessRightsResult,
LDAPSchemaError,
)
from rest_framework.serializers import Serializer
from structlog.stdlib import get_logger
@@ -278,10 +284,17 @@ class LDAPSource(IncomingSyncSource):
successful = conn.bind()
if successful:
return conn
except (LDAPSchemaError, LDAPInsufficientAccessRightsResult) as exc:
# Schema error, so try connecting without schema info
except (
LDAPSchemaError,
LDAPInsufficientAccessRightsResult,
LDAPAdminLimitExceededResult,
LDAPAttributeError,
) as exc:
# Schema error or rate limit during schema fetch, retry without schema info
# See https://github.com/goauthentik/authentik/issues/4590
# See also https://github.com/goauthentik/authentik/issues/3399
# LDAPAdminLimitExceededResult: Google Secure LDAP rate-limits schema queries
# LDAPAttributeError: Google Secure LDAP returns unsupported attrs in schema
if server_kwargs.get("get_info", ALL) == NONE:
LOGGER.warning("Failed to connect after schema downgrade", source=self, exc=exc)
raise exc