Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-21570

Using API Key with LDAP user leads to redundant query to LDAP server

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Resolution: Done
    • Affects Version/s: 6.18.0
    • Fix Version/s: 7.12.3, 6.23.7
    • Component/s: None
    • Labels:
      None
    • Severity:
      High
    • Release Notes:
      Yes

      Description

      When using an API Key with an LDAP user against Artifactory, Artifactory will query the LDAP server twice with the same query (while once is enough).

      This is crucial for slow LDAP servers, as this means we can improve the performance almost by 50%.

      Notes to remember:
      1. There is a default cache of 5 min, so actually we go to LDAP only once in 5 min per user.
      2. The above cache is not relevant for all authentication flows. For example with Docker, the above cache is available only after the fix in RTFACT-20911.

      Steps to reproduce:
      1. Setup Artifactory and configure LDAP. This script can be used for quick LDAP setup.
      2. Add debug loggers (the below loggers are for 6.X versions) to later confirm the behaviour:

      <appender name="ldap" class="ch.qos.logback.core.rolling.RollingFileAppender">
      <File>${artifactory.home}/logs/ldap.log</File>
      <encoder>
      <pattern>%date ${artifactory.contextId}[%thread] [%-5p] \(%-20c{3}:%L\) - %m%n</pattern>
      </encoder>
      <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy">
      <FileNamePattern>${artifactory.home}/logs/ldap.%i.log</FileNamePattern>
      <maxIndex>13</maxIndex>
      </rollingPolicy>
      <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
      <MaxFileSize>10MB</MaxFileSize>
      </triggeringPolicy>
      </appender>
      
      <logger name="org.springframework.security.ldap" additivity="false">
      <level value="trace"/>
      <appender-ref ref="ldap" />
      </logger>
      <logger name="org.artifactory.addon.ldap" additivity="false">
      <level value="trace"/>
      <appender-ref ref="ldap"/>
      </logger>
      <logger name="org.artifactory.security.ldap" additivity="false">
      <level value="trace"/>
      <appender-ref ref="ldap"/>
      </logger>
      <logger name="org.artifactory.webapp.servlet.AccessFilter" additivity="false">
      <level value="trace"/>
      <appender-ref ref="ldap"/>
      </logger>
      

      3. Login to the Artifactory UI via an LDAP user and create an API key.
      4. Run any REST API and authenticate using the API key:

      curl -uuser1:RESTRICTED_API arielk.mac:8081/artifactory/api/system/ping
      

      (remember that there is cache, so it will happen only once in 5 min, or use "docker login" in version prior 6.19)

      5. Examine the logs.
      Artifactory log:

      2020-03-18 11:17:48,339 [http-nio-8081-exec-1] [DEBUG] (o.a.w.s.AccessFilter:298) - Cached key has been found for request: '/artifactory/api/system/ping' with method: 'GET'
      2020-03-18 11:17:48,547 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapUtils   :133) - Trying to find user 'user1' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@e1f68cf1'
      2020-03-18 11:17:48,548 [http-nio-8081-exec-1] [INFO ] (o.s.s.l.DefaultSpringSecurityContextSource:76) -  URL 'ldap://localhost:389', root DN is ''
      2020-03-18 11:17:48,549 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:148) - Searching for user user1
      2020-03-18 11:17:48,907 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:170) - Found user user1, has DN: cn=User1,ou=Users,ou=Organization,dc=openstack,dc=org
      2020-03-18 11:17:48,908 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapUtils   :136) - Found user 'user1' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@e1f68cf1'
      2020-03-18 11:17:48,908 [http-nio-8081-exec-1] [INFO ] (o.s.s.l.DefaultSpringSecurityContextSource:76) -  URL 'ldap://localhost:389', root DN is ''
      2020-03-18 11:17:48,909 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:148) - Searching for user user1
      2020-03-18 11:17:48,929 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:170) - Found user user1, has DN: cn=User1,ou=Users,ou=Organization,dc=openstack,dc=org
      

      As you can see "Searching for user" twice, this indicates we are querying LDAP twice.
      Here are logs from LDAP server that confirm this, and also confirm we are sending the same query:

      5e71e7f6 conn=1010 op=40 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)"
      5e71e7f6 <= bdb_equality_candidates: (uid) not indexed
      5e71e7f6 conn=1010 op=40 SEARCH RESULT tag=101 err=0 nentries=1 text=
      5e71e7f6 conn=1010 op=41 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)"
      5e71e7f6 <= bdb_equality_candidates: (uid) not indexed
      5e71e7f6 conn=1010 op=41 SEARCH RESULT tag=101 err=0 nentries=1 text=
      5e71e7f6 conn=1010 op=42 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(|(member=cn=user1,ou=users,ou=organization,dc=openstack,dc=org)(?member=user1)))"
      5e71e7f6 conn=1010 op=42 SRCH attr=member cn description objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
      5e71e7f6 <= bdb_equality_candidates: (member) not indexed
      5e71e7f6 conn=1010 op=42 SEARCH RESULT tag=101 err=0 nentries=3 text=
      5e71e802 conn=1010 op=43 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)"
      5e71e802 <= bdb_equality_candidates: (uid) not indexed
      5e71e802 conn=1010 op=43 SEARCH RESULT tag=101 err=0 nentries=1 text=
      5e71e802 conn=1010 op=44 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)"
      5e71e802 <= bdb_equality_candidates: (uid) not indexed
      5e71e802 conn=1010 op=44 SEARCH RESULT tag=101 err=0 nentries=1 text=
      5e71e802 conn=1010 op=45 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(|(member=cn=user1,ou=users,ou=organization,dc=openstack,dc=org)(?member=user1)))"
      5e71e802 conn=1010 op=45 SRCH attr=member cn description objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation
      5e71e802 <= bdb_equality_candidates: (member) not indexed
      5e71e802 conn=1010 op=45 SEARCH RESULT tag=101 err=0 nentries=3 text=
      

        Attachments

          Issue Links

            Activity

                People

                Assignee:
                arielk Ariel Kabov
                Reporter:
                arielk Ariel Kabov
                Votes:
                1 Vote for this issue
                Watchers:
                5 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: