Bug #31165
closed
LDAP usergroup sync makes logins very slow
Description
Checking the LDAP auth source configuration option "Usergroup Sync" ('External user groups will be synced on login, else relies on periodic cronjob to check group membership') makes logins in my environment take ~30s, compared with ~3s without the option.
The option is very useful especially when new users login, without it they won't have any expected permissions until the cron job for syncing usergroups runs. Is there any way to speed up this process? Or maybe configure it so it only runs when a new user is created?
Updated by Lukas Zapletal over 3 years ago
- Status changed from New to Need more information
Test the lookup from the Foreman server using a commandline tool, this works fine the last time I tried this. I believe you need to make sure lookups are fast on your infrastructure. If your LDAP/MSAD server is far away, deploy a local instance near Foreman.
Updated by Adam Winberg over 3 years ago
Not sure how the Foreman lookup is performed, but I can do a ldapsearch lookup listing all groups for a specific user:
$ ldapsearch <options> -b OU=Groups,DC=ad,DC=example,DC=com "(&(objectClass=group)(member=CN=<user>,OU=People,DC=ad,DC=example,DC=com))"
This query takes ~0.031s.
Looking at the debug logs, Foreman seems to first lookup the groups i am a member of and then proceeds to make lookups of every member of all those groups, resulting in about 1500 lookups. Is there really a need for looking up every user instead of just looking up the groups? (with ldapsearch, first looking up the users groups and then looking up each of those groups takes ~1.5s).
Updated by Lukas Zapletal over 3 years ago
Did you perform this search from Foreman server itself? Including the same hostname? Could be as simple as a slow DNS query.
Anyway, go to setting.yaml and enable LDAP logger, enable DEBUG level, restart the app and then you should see all the LDAP queries if I am not mistaken.
Updated by Adam Winberg over 3 years ago
Yes, the ldapsearch was performed on the Foreman server, against the same LDAP host.
I've already added the ldap debugger, that's showing that Foreman does ~1500 lookups, one for each individual member in all my groups. With all those lookups it's not surprising that the sync takes a long time, but is it necessary to lookup every user in the groups? Shouldn't it be enough to lookup the user logging in and the groups?
Updated by Lukas Zapletal over 3 years ago
Well, that does not sounds right indeed. Ondro, is this expected? #25795
Updated by Lukas Zapletal over 3 years ago
- Related to Bug #25795: LDAP - When User Group sync is enabled, user wait long time to authenticate / login added
Updated by The Foreman Bot over 3 years ago
- Status changed from Need more information to Ready For Testing
- Assignee set to Ondřej Ezr
- Pull request https://github.com/theforeman/foreman/pull/8204 added
Updated by Ondřej Ezr over 3 years ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|db56f2acbb39bbc11311cde54f99475ae7f01217.
Updated by Alex Fisher almost 3 years ago
This is still really slow for me. But, I am in 740 different AD groups. (Maybe that's quite common in large organisations)
Updated by Lukas Zapletal almost 3 years ago
Alex, please create a new issue with link to this one and provide more details. Was this a regression?
We would appreciate more debugging stuff, we do not necessary test against LDAP with many groups, but if we are able to identify what exactly is slow we would love to help.