LDAP usergroup sync makes logins very slow
Checking the LDAP auth source configuration option "Usergroup Sync" ('External user groups will be synced on login, else relies on periodic cronjob to check group membership') makes logins in my environment take ~30s, compared with ~3s without the option.
The option is very useful especially when new users login, without it they won't have any expected permissions until the cron job for syncing usergroups runs. Is there any way to speed up this process? Or maybe configure it so it only runs when a new user is created?
Fixes #31165 - sync usergroups only for given user :racehorse:
In @17c4b47 we've disabled synchronization of groups for user from different auth sources.
That gave us oportunity to sync the groups directly from fetched groups.
This is changing the Auditing of group membership, as of now it is being audited as User update, not Usergroup update.
#1 Updated by Lukas Zapletal 9 months ago
- Status changed from New to Need more information
Test the lookup from the Foreman server using a commandline tool, this works fine the last time I tried this. I believe you need to make sure lookups are fast on your infrastructure. If your LDAP/MSAD server is far away, deploy a local instance near Foreman.
#2 Updated by Adam Winberg 9 months ago
Not sure how the Foreman lookup is performed, but I can do a ldapsearch lookup listing all groups for a specific user:
$ ldapsearch <options> -b OU=Groups,DC=ad,DC=example,DC=com "(&(objectClass=group)(member=CN=<user>,OU=People,DC=ad,DC=example,DC=com))"
This query takes ~0.031s.
Looking at the debug logs, Foreman seems to first lookup the groups i am a member of and then proceeds to make lookups of every member of all those groups, resulting in about 1500 lookups. Is there really a need for looking up every user instead of just looking up the groups? (with ldapsearch, first looking up the users groups and then looking up each of those groups takes ~1.5s).
#3 Updated by Lukas Zapletal 9 months ago
Did you perform this search from Foreman server itself? Including the same hostname? Could be as simple as a slow DNS query.
Anyway, go to setting.yaml and enable LDAP logger, enable DEBUG level, restart the app and then you should see all the LDAP queries if I am not mistaken.
#4 Updated by Adam Winberg 9 months ago
Yes, the ldapsearch was performed on the Foreman server, against the same LDAP host.
I've already added the ldap debugger, that's showing that Foreman does ~1500 lookups, one for each individual member in all my groups. With all those lookups it's not surprising that the sync takes a long time, but is it necessary to lookup every user in the groups? Shouldn't it be enough to lookup the user logging in and the groups?
#11 Updated by Lukas Zapletal 2 months ago
Alex, please create a new issue with link to this one and provide more details. Was this a regression?
We would appreciate more debugging stuff, we do not necessary test against LDAP with many groups, but if we are able to identify what exactly is slow we would love to help.