opendev/gerrit
Code Issues Proposed changes

Improve LDAP login times, transfer 40x less data.

Browse Source 
When recursively expanding LDAP groups we used to fetch all attributes
for each group. In our corporate setup this has been causing a huge
amount of data being transfered from the LDAP server to our Gerrit
instances. In the tcpdump output I could find a list of all corporate
user accounts being returned (probably as an attribute of a group).

However, we are really only interested in one attribute. Therefore, ask
the LDAP server for this one attribute only. This reduces the amount
of transfered data by a factor of 40, in our corporate setup.

Change-Id: I74df9064771d174a02f0e4d7cb2c5a994b9d8333
This commit is contained in:
Saša Živkov
2015-01-28 16:57:26 +01:00
parent 5296a53c07
commit 386b419e76
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
View File

@@ -281,7 +281,8 @@ import javax.security.auth.login.LoginException;
try {
final Name compositeGroupName = new CompositeName().add(groupDN);
final Attribute in =
ctx.getAttributes(compositeGroupName).get(schema.accountMemberField);
ctx.getAttributes(compositeGroupName, schema.accountMemberFieldArray)
.get(schema.accountMemberField);
if (in != null) {
final NamingEnumeration<?> groups = in.getAll();
try {
@@ -310,6 +311,7 @@ import javax.security.auth.login.LoginException;
final ParameterizedString accountEmailAddress;
final ParameterizedString accountSshUserName;
final String accountMemberField;
final String[] accountMemberFieldArray;
final List<LdapQuery> accountQueryList;
final List<String> groupBases;
@@ -374,7 +376,10 @@ import javax.security.auth.login.LoginException;
accountMemberField =
LdapRealm.optdef(config, "accountMemberField", type.accountMemberField());
if (accountMemberField != null) {
accountMemberFieldArray = new String[] {accountMemberField};
accountAtts.add(accountMemberField);
} else {
accountMemberFieldArray = null;
}
final SearchScope accountScope = LdapRealm.scope(config, "accountScope");