Bug 1393407

Summary:	[RFE] Use LDAP_MATCHING_RULE_IN_CHAIN to fetch user groups in Active Directory (improve performance)
Product:	[oVirt] ovirt-engine-extension-aaa-ldap	Reporter:	Ondra Machacek <omachace>
Component:	Profile.ad	Assignee:	Ondra Machacek <omachace>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Gonza <grafuls>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	1.1.2	CC:	bgraveno, bugs, lsvaty, mperina, omachace, oourfali, shipatil
Target Milestone:	ovirt-4.1.0-beta	Keywords:	FutureFeature
Target Release:	1.3.0	Flags:	rule-engine: ovirt-4.1? grafuls: testing_plan_complete- rule-engine: planning_ack? mperina: devel_ack+ pstehlik: testing_ack+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Enhancement
Doc Text:	During the authorization stage of the login flow, the user's group memberships including nested groups are retrieved. Nested group memberships are resolved using recursive LDAP searches, which could take significant amount of time. This update uses a special Active Directory feature called LDAP_MATCHING_RULE_IN_CHAIN, which allows you to fetch complete group memberships, including nested groups in one LDAP search.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-02-15 14:48:54 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	Infra	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Ondra Machacek 2016-11-09 13:20:44 UTC

Description of problem:
LDAP_MATCHING_RULE_IN_CHAIN[1] improves performance of the groups resolution of users. The problem with LDAP_MATCHING_RULE_IN_CHAIN implementation is that it can't be used for domain local group resolution in mutli-domain setup. But the performance is significant in comparision to recusive member resolution. Thus we enable by default group resolution using LDAP_MATCHING_RULE_IN_CHAIN, and as alternative we provide profile which will use recusive member resolution, which can resolve also domain local groups from foreign domains.

[1] https://support.microsoft.com/en-us/kb/914828

Version-Release number of selected component (if applicable):
1.2.2

How reproducible:
always

Steps to Reproduce:
1. Use LDAP_MATCHING_RULE_IN_CHAIN by default.

Actual results:
Not used by default.

Expected results:
Used by default.


Additional info:

Comment 1 Pavel Stehlik 2016-11-16 08:53:41 UTC

Due to nature of the issue, QE please contact DEV in order to specify passing criteria.

Comment 2 Oved Ourfali 2016-12-14 09:02:06 UTC

All patches are merged.
Requires only building the package.

Comment 3 Martin Perina 2016-12-19 10:35:15 UTC

Included in ovirt-engine-extension-aaa-ldap-1.3.0

Comment 4 Gonza 2017-02-06 11:02:49 UTC

Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# grep -irn matching_rule /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties 
23:# This profile is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups of users.
37:# We do prefer this profile because using LDAP_MATCHING_RULE_IN_CHAIN has significant
45:vars.LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803
46:vars.LDAP_MATCHING_RULE_BIT_OR = 1.2.840.113556.1.4.804
47:vars.LDAP_MATCHING_RULE_IN_CHAIN = 1.2.840.113556.1.4.1941
118:search.ad-resolve-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})(member:${global:vars.LDAP_MATCHING_RULE_IN_CHAIN}:=${seq:_ad_dn_encoded})
130:search.ad-query-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})${seq:filter}