Strange problem with Shibboleth authentication

Administrators
1

Since a few days, we are seeing from time to time a strange error with the Shibboleth authentication, with the following error:

Authentication via None failed: Size limit exceeded (try setting a smaller page size) (None)
15:34

Does it sound familiar to somebody? The detailed error is below.

Michel

{u'data': {u'get': {},
           u'headers': {'Accept': u'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
                        'Accept-Encoding': u'gzip, deflate, br',
                        'Accept-Language': u'fr,fr-FR;q=0.8,en;q=0.5,en-US;q=0.3',
                        'Connection': u'keep-alive',
                        'Cookie': u'indico_session=36c3c521-6edc-4f0d-bdb9-152b9b627464; _shibsession_64656661756c7468747470733a2f2f696e6469636f2e696a636c61622e696e3270332e66722f7370=_f622e2e1115bb7a389f6da41bbdf85c3',
                        'Dnt': u'1',
                        'Host': u'indico.ijclab.in2p3.fr',
                        'Referer': u'https://indico.ijclab.in2p3.fr/login/?next=%2Fcategory%2F292%2F',
                        'Upgrade-Insecure-Requests': u'1',
                        'User-Agent': u'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0'},
           u'json': None,
           u'post': {},
           u'url': {}},
 u'endpoint': u'_flaskmultipass_shibboleth_shib-sso',
 u'id': '122225b652104755',
 u'ip': '93.3.66.128',
 u'method': 'GET',
 u'referrer': 'https://indico.ijclab.in2p3.fr/login/?next=%2Fcategory%2F292%2F',
 u'rh': 'RHSimple',
 u'time': '2021-03-09T15:34:45.507177',
 u'url': u'https://indico.ijclab.in2p3.fr/login/shib-sso/shibboleth',
 u'user': None,
 u'user_agent': u'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0'}
2

I think that error may be from LDAP - try lowering the page_size in the ldap config of the ldap identity provider…

3

Thanks. I forgot about that. It’s true that a lot of accounts have been added to our AD in the last month and we may have reached a threshold. I’ll check.

Michel

4

Unfortunately, it doesn’t help… I tried to reduce page_size to 1000 or increase it to 2000 (it was 1500) but it doesn’t help. The problem seems to affect some users, not all of them, when the access is checked for category protected by an Active Directory group (so it is clearly LDAP related).

Michel

5

Digging a little bit more into the problem, I identified that the problem started in fact today (with only one occurence of the error before, 5 days ago) and as far as I can say up to now, I identified only one user with the problem. This user doesn’t have the problem on categories where he is an administrator.

Not sure how to get more details about the error.

Michel

6

For the record, the problem was caused by 2 Active Directory accounts configured with the same email. The LDAP provider seems unhappy when it finds 2 users matching the same emails but gives an error that seems not exactly optimal…

Michel