When using an API Key with an LDAP user against Artifactory, Artifactory will query the LDAP server twice with the same query (while once is enough).
This is crucial for slow LDAP servers, as this means we can improve the performance almost by 50%.
Notes to remember:
1. There is a default cache of 5 min, so actually we go to LDAP only once in 5 min per user.
2. The above cache is not relevant for all authentication flows. For example with Docker, the above cache is available only after the fix in RTFACT-20911.
Steps to reproduce:
1. Setup Artifactory and configure LDAP. This script can be used for quick LDAP setup.
2. Add debug loggers (the below loggers are for 6.X versions) to later confirm the behaviour:
<appender name="ldap" class="ch.qos.logback.core.rolling.RollingFileAppender"> <File>${artifactory.home}/logs/ldap.log</File> <encoder> <pattern>%date ${artifactory.contextId}[%thread] [%-5p] \(%-20c{3}:%L\) - %m%n</pattern> </encoder> <rollingPolicy class="ch.qos.logback.core.rolling.FixedWindowRollingPolicy"> <FileNamePattern>${artifactory.home}/logs/ldap.%i.log</FileNamePattern> <maxIndex>13</maxIndex> </rollingPolicy> <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy"> <MaxFileSize>10MB</MaxFileSize> </triggeringPolicy> </appender> <logger name="org.springframework.security.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap" /> </logger> <logger name="org.artifactory.addon.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger> <logger name="org.artifactory.security.ldap" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger> <logger name="org.artifactory.webapp.servlet.AccessFilter" additivity="false"> <level value="trace"/> <appender-ref ref="ldap"/> </logger>
3. Login to the Artifactory UI via an LDAP user and create an API key.
4. Run any REST API and authenticate using the API key:
curl -uuser1:RESTRICTED_API arielk.mac:8081/artifactory/api/system/ping
(remember that there is cache, so it will happen only once in 5 min, or use "docker login" in version prior 6.19)
5. Examine the logs.
Artifactory log:
2020-03-18 11:17:48,339 [http-nio-8081-exec-1] [DEBUG] (o.a.w.s.AccessFilter:298) - Cached key has been found for request: '/artifactory/api/system/ping' with method: 'GET' 2020-03-18 11:17:48,547 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapUtils :133) - Trying to find user 'user1' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@e1f68cf1' 2020-03-18 11:17:48,548 [http-nio-8081-exec-1] [INFO ] (o.s.s.l.DefaultSpringSecurityContextSource:76) - URL 'ldap://localhost:389', root DN is '' 2020-03-18 11:17:48,549 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:148) - Searching for user user1 2020-03-18 11:17:48,907 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:170) - Found user user1, has DN: cn=User1,ou=Users,ou=Organization,dc=openstack,dc=org 2020-03-18 11:17:48,908 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapUtils :136) - Found user 'user1' with LDAP settings 'org.artifactory.descriptor.security.ldap.LdapSetting@e1f68cf1' 2020-03-18 11:17:48,908 [http-nio-8081-exec-1] [INFO ] (o.s.s.l.DefaultSpringSecurityContextSource:76) - URL 'ldap://localhost:389', root DN is '' 2020-03-18 11:17:48,909 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:148) - Searching for user user1 2020-03-18 11:17:48,929 [http-nio-8081-exec-1] [DEBUG] (o.a.s.l.LdapServiceImpl:170) - Found user user1, has DN: cn=User1,ou=Users,ou=Organization,dc=openstack,dc=org
As you can see "Searching for user" twice, this indicates we are querying LDAP twice.
Here are logs from LDAP server that confirm this, and also confirm we are sending the same query:
5e71e7f6 conn=1010 op=40 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)" 5e71e7f6 <= bdb_equality_candidates: (uid) not indexed 5e71e7f6 conn=1010 op=40 SEARCH RESULT tag=101 err=0 nentries=1 text= 5e71e7f6 conn=1010 op=41 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)" 5e71e7f6 <= bdb_equality_candidates: (uid) not indexed 5e71e7f6 conn=1010 op=41 SEARCH RESULT tag=101 err=0 nentries=1 text= 5e71e7f6 conn=1010 op=42 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(|(member=cn=user1,ou=users,ou=organization,dc=openstack,dc=org)(?member=user1)))" 5e71e7f6 conn=1010 op=42 SRCH attr=member cn description objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation 5e71e7f6 <= bdb_equality_candidates: (member) not indexed 5e71e7f6 conn=1010 op=42 SEARCH RESULT tag=101 err=0 nentries=3 text= 5e71e802 conn=1010 op=43 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)" 5e71e802 <= bdb_equality_candidates: (uid) not indexed 5e71e802 conn=1010 op=43 SEARCH RESULT tag=101 err=0 nentries=1 text= 5e71e802 conn=1010 op=44 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(uid=user1)" 5e71e802 <= bdb_equality_candidates: (uid) not indexed 5e71e802 conn=1010 op=44 SEARCH RESULT tag=101 err=0 nentries=1 text= 5e71e802 conn=1010 op=45 SRCH base="dc=openstack,dc=org" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(|(member=cn=user1,ou=users,ou=organization,dc=openstack,dc=org)(?member=user1)))" 5e71e802 conn=1010 op=45 SRCH attr=member cn description objectClass javaSerializedData javaClassName javaFactory javaCodeBase javaReferenceAddress javaClassNames javaRemoteLocation 5e71e802 <= bdb_equality_candidates: (member) not indexed 5e71e802 conn=1010 op=45 SEARCH RESULT tag=101 err=0 nentries=3 text=
- relates to
-
RTFACT-21914 Exception isn't cought correctly when authenticating with API key with LDAP user
- Open