Bug 1393407 - [RFE] Use LDAP_MATCHING_RULE_IN_CHAIN to fetch user groups in Active Directory (improve performance)
Summary: [RFE] Use LDAP_MATCHING_RULE_IN_CHAIN to fetch user groups in Active Director...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Profile.ad
Version: 1.1.2
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: ovirt-4.1.0-beta
: 1.3.0
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-09 13:20 UTC by Ondra Machacek
Modified: 2021-05-01 16:45 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
During the authorization stage of the login flow, the user's group memberships including nested groups are retrieved. Nested group memberships are resolved using recursive LDAP searches, which could take significant amount of time. This update uses a special Active Directory feature called LDAP_MATCHING_RULE_IN_CHAIN, which allows you to fetch complete group memberships, including nested groups in one LDAP search.
Clone Of:
Environment:
Last Closed: 2017-02-15 14:48:54 UTC
oVirt Team: Infra
rule-engine: ovirt-4.1?
grafuls: testing_plan_complete-
rule-engine: planning_ack?
mperina: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 57520 0 None MERGED profiles: ad: use LDAP_MATCHING_RULE_IN_CHAIN 2020-07-27 18:23:18 UTC

Description Ondra Machacek 2016-11-09 13:20:44 UTC 
Description of problem:
LDAP_MATCHING_RULE_IN_CHAIN[1] improves performance of the groups resolution of users. The problem with LDAP_MATCHING_RULE_IN_CHAIN implementation is that it can't be used for domain local group resolution in mutli-domain setup. But the performance is significant in comparision to recusive member resolution. Thus we enable by default group resolution using LDAP_MATCHING_RULE_IN_CHAIN, and as alternative we provide profile which will use recusive member resolution, which can resolve also domain local groups from foreign domains.

[1] https://support.microsoft.com/en-us/kb/914828

Version-Release number of selected component (if applicable):
1.2.2

How reproducible:
always

Steps to Reproduce:
1. Use LDAP_MATCHING_RULE_IN_CHAIN by default.

Actual results:
Not used by default.

Expected results:
Used by default.


Additional info:
Comment 1 Pavel Stehlik 2016-11-16 08:53:41 UTC 
Due to nature of the issue, QE please contact DEV in order to specify passing criteria.
Comment 2 Oved Ourfali 2016-12-14 09:02:06 UTC 
All patches are merged.
Requires only building the package.
Comment 3 Martin Perina 2016-12-19 10:35:15 UTC 
Included in ovirt-engine-extension-aaa-ldap-1.3.0
Comment 4 Gonza 2017-02-06 11:02:49 UTC 
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# grep -irn matching_rule /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties 
23:# This profile is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups of users.
37:# We do prefer this profile because using LDAP_MATCHING_RULE_IN_CHAIN has significant
45:vars.LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803
46:vars.LDAP_MATCHING_RULE_BIT_OR = 1.2.840.113556.1.4.804
47:vars.LDAP_MATCHING_RULE_IN_CHAIN = 1.2.840.113556.1.4.1941
118:search.ad-resolve-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})(member:${global:vars.LDAP_MATCHING_RULE_IN_CHAIN}:=${seq:_ad_dn_encoded})
130:search.ad-query-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})${seq:filter}
Note You need to log in before you can comment on or make changes to this bug.