Improve LDAP login times, transfer 40x less data.
When recursively expanding LDAP groups we used to fetch all attributes for each group. In our corporate setup this has been causing a huge amount of data being transfered from the LDAP server to our Gerrit instances. In the tcpdump output I could find a list of all corporate user accounts being returned (probably as an attribute of a group). However, we are really only interested in one attribute. Therefore, ask the LDAP server for this one attribute only. This reduces the amount of transfered data by a factor of 40, in our corporate setup. Change-Id: I74df9064771d174a02f0e4d7cb2c5a994b9d8333
This commit is contained in:
		| @@ -279,7 +279,8 @@ import javax.security.auth.login.LoginException; | ||||
|         try { | ||||
|           final Name compositeGroupName = new CompositeName().add(groupDN); | ||||
|           final Attribute in = | ||||
|               ctx.getAttributes(compositeGroupName).get(schema.accountMemberField); | ||||
|               ctx.getAttributes(compositeGroupName, schema.accountMemberFieldArray) | ||||
|                 .get(schema.accountMemberField); | ||||
|           if (in != null) { | ||||
|             final NamingEnumeration<?> groups = in.getAll(); | ||||
|             try { | ||||
| @@ -308,6 +309,7 @@ import javax.security.auth.login.LoginException; | ||||
|     final ParameterizedString accountEmailAddress; | ||||
|     final ParameterizedString accountSshUserName; | ||||
|     final String accountMemberField; | ||||
|     final String[] accountMemberFieldArray; | ||||
|     final List<LdapQuery> accountQueryList; | ||||
|  | ||||
|     final List<String> groupBases; | ||||
| @@ -372,7 +374,10 @@ import javax.security.auth.login.LoginException; | ||||
|       accountMemberField = | ||||
|           LdapRealm.optdef(config, "accountMemberField", type.accountMemberField()); | ||||
|       if (accountMemberField != null) { | ||||
|         accountMemberFieldArray = new String[] {accountMemberField}; | ||||
|         accountAtts.add(accountMemberField); | ||||
|       } else { | ||||
|         accountMemberFieldArray = null; | ||||
|       } | ||||
|  | ||||
|       final SearchScope accountScope = LdapRealm.scope(config, "accountScope"); | ||||
|   | ||||
		Reference in New Issue
	
	Block a user
	 Saša Živkov
					Saša Živkov