Project

General

Profile

Actions

Bug #31165

closed

LDAP usergroup sync makes logins very slow

Added by Adam Winberg over 3 years ago. Updated almost 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
No
Fixed in Releases:
Found in Releases:

Description

Checking the LDAP auth source configuration option "Usergroup Sync" ('External user groups will be synced on login, else relies on periodic cronjob to check group membership') makes logins in my environment take ~30s, compared with ~3s without the option.

The option is very useful especially when new users login, without it they won't have any expected permissions until the cron job for syncing usergroups runs. Is there any way to speed up this process? Or maybe configure it so it only runs when a new user is created?


Related issues 1 (0 open1 closed)

Related to Foreman - Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / loginClosedOndřej EzrActions
Actions #1

Updated by Lukas Zapletal over 3 years ago

  • Status changed from New to Need more information

Test the lookup from the Foreman server using a commandline tool, this works fine the last time I tried this. I believe you need to make sure lookups are fast on your infrastructure. If your LDAP/MSAD server is far away, deploy a local instance near Foreman.

Actions #2

Updated by Adam Winberg over 3 years ago

Not sure how the Foreman lookup is performed, but I can do a ldapsearch lookup listing all groups for a specific user:

$ ldapsearch <options> -b OU=Groups,DC=ad,DC=example,DC=com "(&(objectClass=group)(member=CN=<user>,OU=People,DC=ad,DC=example,DC=com))" 

This query takes ~0.031s.

Looking at the debug logs, Foreman seems to first lookup the groups i am a member of and then proceeds to make lookups of every member of all those groups, resulting in about 1500 lookups. Is there really a need for looking up every user instead of just looking up the groups? (with ldapsearch, first looking up the users groups and then looking up each of those groups takes ~1.5s).

Actions #3

Updated by Lukas Zapletal over 3 years ago

Did you perform this search from Foreman server itself? Including the same hostname? Could be as simple as a slow DNS query.

Anyway, go to setting.yaml and enable LDAP logger, enable DEBUG level, restart the app and then you should see all the LDAP queries if I am not mistaken.

Actions #4

Updated by Adam Winberg over 3 years ago

Yes, the ldapsearch was performed on the Foreman server, against the same LDAP host.

I've already added the ldap debugger, that's showing that Foreman does ~1500 lookups, one for each individual member in all my groups. With all those lookups it's not surprising that the sync takes a long time, but is it necessary to lookup every user in the groups? Shouldn't it be enough to lookup the user logging in and the groups?

Actions #5

Updated by Lukas Zapletal over 3 years ago

Well, that does not sounds right indeed. Ondro, is this expected? #25795

Actions #6

Updated by Lukas Zapletal over 3 years ago

  • Related to Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / login added
Actions #7

Updated by The Foreman Bot about 3 years ago

  • Status changed from Need more information to Ready For Testing
  • Assignee set to Ondřej Ezr
  • Pull request https://github.com/theforeman/foreman/pull/8204 added
Actions #8

Updated by The Foreman Bot about 3 years ago

  • Fixed in Releases 2.4.0 added
Actions #9

Updated by Ondřej Ezr about 3 years ago

  • Status changed from Ready For Testing to Closed
Actions #10

Updated by Alex Fisher almost 3 years ago

This is still really slow for me. But, I am in 740 different AD groups. (Maybe that's quite common in large organisations)

Actions #11

Updated by Lukas Zapletal almost 3 years ago

Alex, please create a new issue with link to this one and provide more details. Was this a regression?

We would appreciate more debugging stuff, we do not necessary test against LDAP with many groups, but if we are able to identify what exactly is slow we would love to help.

Actions

Also available in: Atom PDF