Bug #31165

LDAP usergroup sync makes logins very slow

Added by Adam Winberg 12 months ago. Updated 5 months ago.

Users, Roles and Permissions
Target version:
Bugzilla link:
Fixed in Releases:
Found in Releases:


Checking the LDAP auth source configuration option "Usergroup Sync" ('External user groups will be synced on login, else relies on periodic cronjob to check group membership') makes logins in my environment take ~30s, compared with ~3s without the option.

The option is very useful especially when new users login, without it they won't have any expected permissions until the cron job for syncing usergroups runs. Is there any way to speed up this process? Or maybe configure it so it only runs when a new user is created?

Related issues

Related to Foreman - Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / loginClosed

Associated revisions

Revision db56f2ac (diff)
Added by Ondřej Ezr 10 months ago

Fixes #31165 - sync usergroups only for given user :racehorse:

In @17c4b47 we've disabled synchronization of groups for user from different auth sources.
That gave us oportunity to sync the groups directly from fetched groups.

This is changing the Auditing of group membership, as of now it is being audited as User update, not Usergroup update.


#1 Updated by Lukas Zapletal 12 months ago

  • Status changed from New to Need more information

Test the lookup from the Foreman server using a commandline tool, this works fine the last time I tried this. I believe you need to make sure lookups are fast on your infrastructure. If your LDAP/MSAD server is far away, deploy a local instance near Foreman.

#2 Updated by Adam Winberg 12 months ago

Not sure how the Foreman lookup is performed, but I can do a ldapsearch lookup listing all groups for a specific user:

$ ldapsearch <options> -b OU=Groups,DC=ad,DC=example,DC=com "(&(objectClass=group)(member=CN=<user>,OU=People,DC=ad,DC=example,DC=com))" 

This query takes ~0.031s.

Looking at the debug logs, Foreman seems to first lookup the groups i am a member of and then proceeds to make lookups of every member of all those groups, resulting in about 1500 lookups. Is there really a need for looking up every user instead of just looking up the groups? (with ldapsearch, first looking up the users groups and then looking up each of those groups takes ~1.5s).

#3 Updated by Lukas Zapletal 12 months ago

Did you perform this search from Foreman server itself? Including the same hostname? Could be as simple as a slow DNS query.

Anyway, go to setting.yaml and enable LDAP logger, enable DEBUG level, restart the app and then you should see all the LDAP queries if I am not mistaken.

#4 Updated by Adam Winberg 12 months ago

Yes, the ldapsearch was performed on the Foreman server, against the same LDAP host.

I've already added the ldap debugger, that's showing that Foreman does ~1500 lookups, one for each individual member in all my groups. With all those lookups it's not surprising that the sync takes a long time, but is it necessary to lookup every user in the groups? Shouldn't it be enough to lookup the user logging in and the groups?

#5 Updated by Lukas Zapletal 12 months ago

Well, that does not sounds right indeed. Ondro, is this expected? #25795

#6 Updated by Lukas Zapletal 12 months ago

  • Related to Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / login added

#7 Updated by The Foreman Bot 10 months ago

  • Assignee set to Ondřej Ezr
  • Status changed from Need more information to Ready For Testing
  • Pull request added

#8 Updated by The Foreman Bot 10 months ago

  • Fixed in Releases 2.4.0 added

#9 Updated by Ondřej Ezr 10 months ago

  • Status changed from Ready For Testing to Closed

#10 Updated by Alex Fisher 5 months ago

This is still really slow for me. But, I am in 740 different AD groups. (Maybe that's quite common in large organisations)

#11 Updated by Lukas Zapletal 5 months ago

Alex, please create a new issue with link to this one and provide more details. Was this a regression?

We would appreciate more debugging stuff, we do not necessary test against LDAP with many groups, but if we are able to identify what exactly is slow we would love to help.

Also available in: Atom PDF