Skip to content

[BED-6026] Early exit for domains we know are unresolvable #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 2 commits into
base: v4
Choose a base branch
from
Draft

[BED-6026] Early exit for domains we know are unresolvable #225

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d67c336
fix: Early exit for domains we know are unresolvalbe per https://gith…
definitelynotagoblin Jul 18, 2025
28612d0
Merge branch 'v4' into BED-6026
MikeX777 Jul 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 48 additions & 9 deletions src/CommonLib/LdapUtils.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,9 @@ public IAsyncEnumerable<LdapResult<IDirectoryObject>> PagedQuery(LdapQueryParame
if (Cache.GetIDType(sid, out var type)) {
return (true, type);
}
else if (_unresolvablePrincipals.Contains(GetDomainSidFromObjectSid(sid))) {
return (false, Label.Base);
}

var tempDomain = domain;

Expand Down Expand Up @@ -330,14 +333,7 @@ public IAsyncEnumerable<LdapResult<IDirectoryObject>> PagedQuery(LdapQueryParame
}

public virtual async Task<(bool Success, string DomainName)> GetDomainNameFromSid(string sid) {
string domainSid;
try {
domainSid = new SecurityIdentifier(sid).AccountDomainSid?.Value.ToUpper();
}
catch {
var match = SIDRegex.Match(sid);
domainSid = match.Success ? match.Groups[1].Value : null;
}
var domainSid = GetDomainSidFromObjectSid(sid);

if (domainSid == null) {
return (false, "");
Expand Down Expand Up @@ -384,8 +380,26 @@ public IAsyncEnumerable<LdapResult<IDirectoryObject>> PagedQuery(LdapQueryParame
return (false, string.Empty);
}

private string GetDomainSidFromObjectSid(string sid) {
try {
return new SecurityIdentifier(sid).AccountDomainSid?.Value.ToUpper();
}
catch {
var match = SIDRegex.Match(sid);
return match.Success ? match.Groups[1].Value : null;
}
}

private async Task<(bool Success, string DomainName)> ConvertDomainSidToDomainNameFromLdap(string domainSid) {
if (!GetDomain(out var domain) || domain?.Name == null) {
Domain domain;
try {
if (!GetDomainWithUnreachableThrow(out domain) || domain?.Name == null) {
return (false, string.Empty);
}
}
catch (ActiveDirectoryOperationException) {
// Domain is unreachable, add to unresolvable sids
_unresolvablePrincipals.Add(domainSid);
return (false, string.Empty);
}

Expand Down Expand Up @@ -576,6 +590,31 @@ public bool GetDomain(out Domain domain) {
}
}

private bool GetDomainWithUnreachableThrow(out Domain domain) {
if (_domainCache.TryGetValue(_nullCacheKey, out domain)) return true;

try {
var context = _ldapConfig.Username != null
? new DirectoryContext(DirectoryContextType.Domain, _ldapConfig.Username,
_ldapConfig.Password)
: new DirectoryContext(DirectoryContextType.Domain);

// Blocking External Call
domain = Domain.GetDomain(context);
_domainCache.TryAdd(_nullCacheKey, domain);
return true;
}
catch (ActiveDirectoryOperationException e) when (e.Message.Equals("Current security context is not associated with an Active Directory domain or forest.", StringComparison.OrdinalIgnoreCase)) {
// This domain is unreachable
throw;
}
catch (Exception e) {
_log.LogDebug(e, "GetDomain call failed for blank domain");
domain = null;
return false;
}
}

public async Task<(bool Success, TypedPrincipal Principal)> ResolveAccountName(string name, string domain) {
if (string.IsNullOrWhiteSpace(name)) {
return (false, null);
Expand Down
Loading