Details
-
Improvement
-
Resolution: Duplicate
-
Major
-
None
-
5.4.7
-
None
-
Unknown
-
Description
LDAP Group sync loads LDAP groups to check if users are members of it. If the group is very large this can take significant time (there is a cache) and generate a high number of queries on the LDAP server the first time the groups are loaded.
We have experienced a case when combined with other bugs loading one large groups (a couple thousands members) lead to 17000 LDAP queries and 8 minutes.
It does not seem easy to fix this but it is important to know that syncing very large groups (over 10000 members) could lead to unacceptable times, using the current method.
Group sync needs to know if a user is a member of specific LDAP groups.
For this it load groups recursively containing subgroups that can be LDAP entries or expressed as Filters. Because of the filter it does not seem possible to find the groups of a specific user by looking for the groups in which a user is instead of loading the full group. However in the case where the filter case does not exist, this method of finding the user's groups could be more scalable.
Attachments
Issue Links
- duplicates
-
LDAP-7 First request of the day VERY slow for logged LDAP users
-
- Open
-