[RTFACT-12365] Improve LDAP Group query speed for LDAP Login Created: 30/Aug/16  Updated: 14/Nov/17  Resolved: 29/Nov/16

Status: Resolved
Project: Artifactory Binary Repository
Component/s: LDAP
Affects Version/s: 4.11.0, 4.11.2, 4.12.0, 4.13.0, 4.14.0
Fix Version/s: 4.14.2

Type: Improvement Priority: Critical
Reporter: Joshua Han Assignee: Yuval Reches
Resolution: Fixed Votes: 3
Labels: None

Attachments: File ldap-login2.pcap.pcap     PNG File ldap-pcap.png    
Issue Links:
Relationship
is related to RTFACT-14132 Login fails when a user does not have... Resolved
Assigned QA: Mor Iluz (Inactive)
Sprint: Leap 2

 Description   

Artifactory's Static group mapping strategy makes searches using a ldap query similar to below.
ldapsearch -xLLL -H "ldap://10.60.1.88:389" -b "ou=groups,dc=support,dc=sup-docker" "(&(objectClass=groupOfUniqueNames)(|(uniqueMember=uid=kwinters,ou=People,dc=support,dc=sup-docker)(uniqueMember=kwinters)))"

When a user has many groups and there is no room to optimize the filters anymore, then the login takes a long time to download ALL attributes of the groups that the search returns.

To enhance this, please make the Artifactory to search only for dn of the group instead of the entire attributes, similar to the query below

ldapsearch -xLLL -H "ldap://10.60.1.88:389" -b "ou=groups,dc=support,dc=sup-docker" "(&(objectClass=groupOfUniqueNames)(|(uniqueMember=uid=kwinters,ou=People,dc=support,dc=sup-docker)(uniqueMember=kwinters)))" dn



 Comments   
Comment by Yeou-Fang Wang [ 30/Aug/16 ]

It takes 30+ seconds for each login in our current Artifactory instance and it is getting worse as we add more LDAP groups. Sometimes users encounter timeout at around 60 seconds. This is really frustrating as people cannot log into Artifactory to get needed binaries for their daily work and it is frustrating for us to introduce Artifactory to other users. This could also impact the possibility to acquire other products from JFrog.

In our organization, LDAP group is used to control permissions for many other applications. There are about 5,000 LDAP groups and each person can belong to 30 to 100 LDAP groups. Please consider this a high priority item to fix. Thanks.

Generated at Sun Jan 19 11:17:11 UTC 2020 using JIRA 7.6.16#76018-sha1:9ed376192612a49536ac834c64177a0fed6290f5.