Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-12415

LDAP Group Sync has potential scalability issue

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 5.4.7
    • Fix Version/s: None
    • Component/s: {Unused} LDAP
    • Labels:
      None
    • Difficulty:
      Unknown
    • Similar issues:

      Description

      LDAP Group sync loads LDAP groups to check if users are members of it. If the group is very large this can take significant time (there is a cache) and generate a high number of queries on the LDAP server the first time the groups are loaded.

      We have experienced a case when combined with other bugs loading one large groups (a couple thousands members) lead to 17000 LDAP queries and 8 minutes.

      It does not seem easy to fix this but it is important to know that syncing very large groups (over 10000 members) could lead to unacceptable times, using the current method.

      Group sync needs to know if a user is a member of specific LDAP groups.

      For this it load groups recursively containing subgroups that can be LDAP entries or expressed as Filters. Because of the filter it does not seem possible to find the groups of a specific user by looking for the groups in which a user is instead of loading the full group. However in the case where the filter case does not exist, this method of finding the user's groups could be more scalable.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                tmortagne Thomas Mortagne
                Reporter:
                ludovic Ludovic Dubost
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: