Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP- avoid getting all members of the groups and just get the distinguishedName #26061

Closed
maggieliu opened this issue Mar 16, 2020 · 5 comments
Closed

LDAP- avoid getting all members of the groups and just get the distinguishedName #26061

maggieliu opened this issue Mar 16, 2020 · 5 comments
Assignees
@prachidamle @anupama2501
Labels
internal priority/2 status/to-reproduce team/area1

Comments

@maggieliu
Copy link

maggieliu commented Mar 16, 2020
edited
Loading

What kind of request is this (question/bug/enhancement/feature request):
Feature
@maggieliu maggieliu added kind/enhancement Issues that improve or augment existing functionality internal labels Mar 16, 2020
@maggieliu maggieliu added this to the v2.4.x milestone Mar 16, 2020
@deniseschannon deniseschannon modified the milestones: v2.4.x, v2.4.2 Mar 17, 2020
@ebauman
Copy link

ebauman commented Mar 17, 2020
edited
Loading

In large LDAP directories, the fetching of entire member lists has proven to take a significant amount of time.

Specifically, this problem was encountered in the following situation:

  • An LDAP directory had hundreds of thousands of users
  • There were hundreds of groups attached to a single user
  • Some of those groups (<10) had member counts in the hundreds of thousands

In this environment, fetching the groups for a particular user took upwards of one minute. This was tested directly by executing the corresponding ldapsearch query (&(member=cn=Username,ou=People,o=Organization)(objectClass=groupOfNames))

Adjusting the query to include distinguishedName (e.g. (&(member=cn=Username,ou=People,o=Organization)(objectClass=groupOfNames)) distinguishedName) changed the return time of the query from one minute to under one second.

It is theorized that the sheer size of the objects being returned - and corresponding stress on the LDAP server to fetch such a query - was responsible for the delays.

@maggieliu maggieliu modified the milestones: v2.4.2, v2.4.2a Mar 19, 2020
@maggieliu maggieliu modified the milestones: v2.4.2, v2.4 - Backlog Mar 24, 2020
@prachidamle prachidamle changed the title Add LDAP config flag to avoid getting all members of the groups and just get the distinguishedName LDAP- avoid getting all members of the groups and just get the distinguishedName Mar 26, 2020
@prachidamle prachidamle mentioned this issue Mar 26, 2020
Merged
@zube zube bot removed the [zube]: Working label Mar 26, 2020
@maggieliu maggieliu modified the milestones: v2.4 - Backlog, v2.4.1 Mar 27, 2020
@prachidamle
Copy link
Member

prachidamle commented Mar 27, 2020
edited
Loading

What is the fix?

  • The fix currently in test for this issue removes the "member" attribute from the search queries done for a group. This avoids pulling all the members of a group.

  • It was found that when we pull details of a group, we do not need its list of members in most cases. Only case where we need to find a groups members is when nested group memberships are enabled on the auth config, since we then need to look at all sub-groups of this group.

What to test?

  • We need to test and validate that all the functionalities related to OpenLDAP, FreeIPA and AD(less impacted) are unaffected.
  • Especially testcases around cluster/project memberships granted to groups should let the group members correct access
  • Also need to make sure that testcases around nested groups are working fine.
  • Also should validate with large dataset - with users having say 1000 groups and few groups having 1000 members.

@prachidamle prachidamle mentioned this issue Apr 3, 2020
Merged
@zube zube bot removed the [zube]: Review label Apr 3, 2020
@izaac
Copy link
Contributor

izaac commented Apr 8, 2020
edited
Loading

Rancher version: v2.4-head (04/06/2020) 04159d0 up to v2.4-head (04/08/2020) 64cf5ec

Completed P1 scenarios test coverage and manual RBAC tests.

  • OpenLDAP
  • FreeIPA
  • ActiveDirectory

@izaac izaac mentioned this issue Apr 8, 2020
Closed
@soumyalj
Copy link

soumyalj commented Apr 8, 2020
edited
Loading

Tested with Rancher master-head build ( f47eb1a)
P1 scenarios and manual RBAC tests passed for the below Auth providers:

  • OpenLDAP
  • FreeIPA
  • ActiveDirectory

@samjustus samjustus added this to the v2.7.1 milestone Oct 3, 2022
@zube zube bot modified the milestones: v2.7.1, v2.4.3 Oct 3, 2022
@zube zube bot closed this as completed Oct 3, 2022
@samjustus samjustus added priority/2 status/to-reproduce [zube]: QA Backlog and removed kind/enhancement Issues that improve or augment existing functionality labels Oct 3, 2022
@zube zube bot removed the [zube]: QA Backlog label Oct 3, 2022
@samjustus
Copy link
Collaborator

SURE-3019

@samjustus samjustus reopened this Oct 3, 2022
@samjustus samjustus modified the milestones: v2.4.3, v2.7.1 Oct 3, 2022
@zube zube bot removed the [zube]: QA Backlog label Oct 3, 2022
@zube zube bot removed the [zube]: Team Area 1 label Oct 3, 2022
@samjustus samjustus removed this from the v2.7.2 milestone Feb 8, 2023
@zube zube bot removed the [zube]: Done label May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@prachidamle prachidamle

@anupama2501 anupama2501

Labels
internal priority/2 status/to-reproduce team/area1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@izaac @prachidamle @maggieliu @sangeethah @ebauman @deniseschannon @soumyalj @anupama2501 @samjustus