goauthentik · ChandonPierre · Nov 16, 2024
@@ -11,7 +11,7 @@
 from django.db import connection, models
 from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
-from ldap3 import ALL, NONE, RANDOM, Connection, Server, ServerPool, Tls
+from ldap3 import ALL, NONE, RANDOM, RESTARTABLE, Connection, Server, ServerPool, Tls
 from ldap3.core.exceptions import LDAPException, LDAPInsufficientAccessRightsResult, LDAPSchemaError
 from rest_framework.serializers import Serializer
 
@@ -20,7 +20,7 @@
 from authentik.lib.config import CONFIG
 from authentik.lib.models import DomainlessURLValidator
 
-LDAP_TIMEOUT = 15
+LDAP_TIMEOUT = 60
 LDAP_UNIQUENESS = "ldap_uniq"
 LDAP_DISTINGUISHED_NAME = "distinguishedName"
 
@@ -213,8 +213,8 @@ def connection(
             connection_kwargs.setdefault("password", self.bind_password)
         conn = Connection(
             server or self.server(**server_kwargs),
-            raise_exceptions=True,
-            receive_timeout=LDAP_TIMEOUT,
+            raise_exceptions=CONFIG.get("ldap.raise_exceptions", True),
+            client_strategy=RESTARTABLE,
             **connection_kwargs,
         )
 

@@ -1,6 +1,7 @@
 """Sync LDAP Users and groups into authentik"""
 
 from collections.abc import Generator
+from time import sleep
 
 from django.conf import settings
 from ldap3 import DEREF_ALWAYS, SUBTREE, Connection
@@ -91,11 +92,14 @@
         controls=None,
         paged_size=None,
         paged_criticality=False,
+        rate_limit_delay=None,
     ):
         """Search in pages, returns each page"""
         cookie = True
         if not paged_size:
             paged_size = CONFIG.get_int("ldap.page_size", 50)
+        if rate_limit_delay is None:
+            rate_limit_delay = CONFIG.get_int("ldap.rate_limit_delay", 0)
         while cookie:
             self._connection.search(
                 search_base,
@@ -118,4 +122,5 @@
                 ]
             except KeyError:
                 cookie = None
+            sleep(rate_limit_delay)
             yield self._connection.response