LdapTemplate.lookupContext with IncrementalAttributesMapper

[fishbone1]

It seems that DirContextOperations returned by LdapTemplate.lookupContext() doesn't correctly support multi value attributes if the value count exceeds the LDAP fetch limit (1500 in our case).

Following code doesn't work as expected:

DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn);

boolean addIfDuplicateExists = false;
dirContextOperations.addAttributeValue("member", userDn, addIfDuplicateExists);

ldapTemplate.modifyAttributes(dirContextOperations);

This will cause AttributeInUseException although addIfDuplicateExists is false if there is a too large amount of users in the group. I assume it's because DirContextOperations didn't receive all values. Maybe it's also related to #561 and existing members won't be loaded at all since the attribute's name changes from "member" to "member;range=0-1499". I couldn't check that yet.

My suggestion would be to add a new LdapTemplate::lookupContext() variant with IncrementalAttributesMapper argument:

public DirContextOperations lookupContext(Name dn, IncrementalAttributesMapper mapper)

Example usage:

IncrementalAttributesMapper<DefaultIncrementalAttributesMapper>attributesMapper =
    new DefaultIncrementalAttributesMapper(new String[] { "member" });
DirContextOperations dirContextOperations = ldapTemplate.lookupContext(groupDn, attributesMapper);

But - most importantly - there should be a hint in the documentation, that lookupContext() doesn't support multi value attributes except if you can guarantee that there won't be more values than a single fetch returns.

[fishbone1]

I also wonder if other methods like DirContextOperations::removeAttributeValue("member", memberDn) work. It looks as if the code checks whether the attribute value is available. This check has probably the same issue, so the answer will always be no and therfore nothing will be removed.

I find lots of code like that and don't know, what works safely at all. This is a huge problem! It would be great if at least there was a workaround. I wonder if you could replace originalAttrs of DirContextAdapter with a version that contains the missing members, for example.

[wolfaba]

I have incorrectly reported our similar problem using DirContextOperations.addAttributeValue() to object with 1500+ values (members in the group) in In spring-projects/spring-framework#35604. I will not create another issue here, just link my original post if someone want to read it.
Thank you for ideas.