From f1c813ae7f7ced840f23d0a0d508163b307340d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sa=C5=A1a=20=C5=BDivkov?= Date: Wed, 28 Jan 2015 16:57:26 +0100 Subject: [PATCH] Improve LDAP login times, transfer 40x less data. When recursively expanding LDAP groups we used to fetch all attributes for each group. In our corporate setup this has been causing a huge amount of data being transfered from the LDAP server to our Gerrit instances. In the tcpdump output I could find a list of all corporate user accounts being returned (probably as an attribute of a group). However, we are really only interested in one attribute. Therefore, ask the LDAP server for this one attribute only. This reduces the amount of transfered data by a factor of 40, in our corporate setup. Change-Id: I74df9064771d174a02f0e4d7cb2c5a994b9d8333 --- .../java/com/google/gerrit/server/auth/ldap/Helper.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java index 0698203008..730a86fb6e 100644 --- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java +++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java @@ -279,7 +279,8 @@ import javax.security.auth.login.LoginException; try { final Name compositeGroupName = new CompositeName().add(groupDN); final Attribute in = - ctx.getAttributes(compositeGroupName).get(schema.accountMemberField); + ctx.getAttributes(compositeGroupName, schema.accountMemberFieldArray) + .get(schema.accountMemberField); if (in != null) { final NamingEnumeration groups = in.getAll(); try { @@ -308,6 +309,7 @@ import javax.security.auth.login.LoginException; final ParameterizedString accountEmailAddress; final ParameterizedString accountSshUserName; final String accountMemberField; + final String[] accountMemberFieldArray; final List accountQueryList; final List groupBases; @@ -372,7 +374,10 @@ import javax.security.auth.login.LoginException; accountMemberField = LdapRealm.optdef(config, "accountMemberField", type.accountMemberField()); if (accountMemberField != null) { + accountMemberFieldArray = new String[] {accountMemberField}; accountAtts.add(accountMemberField); + } else { + accountMemberFieldArray = null; } final SearchScope accountScope = LdapRealm.scope(config, "accountScope");