Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1393407 - [RFE] Use LDAP_MATCHING_RULE_IN_CHAIN to fetch user groups in Active Directory (improve performance)
[RFE] Use LDAP_MATCHING_RULE_IN_CHAIN to fetch user groups in Active Director...
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine-extension-aaa-ldap
Classification: oVirt
Component: Profile.ad (Show other bugs)
1.1.2
Unspecified Unspecified
unspecified Severity medium (vote)
: ovirt-4.1.0-beta
: 1.3.0
Assigned To: Ondra Machacek
Gonza
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-09 08:20 EST by Ondra Machacek
Modified: 2017-09-26 10:35 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
During the authorization stage of the login flow, the user's group memberships including nested groups are retrieved. Nested group memberships are resolved using recursive LDAP searches, which could take significant amount of time. This update uses a special Active Directory feature called LDAP_MATCHING_RULE_IN_CHAIN, which allows you to fetch complete group memberships, including nested groups in one LDAP search.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-02-15 09:48:54 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Infra
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.1?
grafuls: testing_plan_complete-
rule-engine: planning_ack?
mperina: devel_ack+
pstehlik: testing_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 57520 None None None 2016-11-09 08:22 EST

  None (edit)
Description Ondra Machacek 2016-11-09 08:20:44 EST 
Description of problem:
LDAP_MATCHING_RULE_IN_CHAIN[1] improves performance of the groups resolution of users. The problem with LDAP_MATCHING_RULE_IN_CHAIN implementation is that it can't be used for domain local group resolution in mutli-domain setup. But the performance is significant in comparision to recusive member resolution. Thus we enable by default group resolution using LDAP_MATCHING_RULE_IN_CHAIN, and as alternative we provide profile which will use recusive member resolution, which can resolve also domain local groups from foreign domains.

[1] https://support.microsoft.com/en-us/kb/914828

Version-Release number of selected component (if applicable):
1.2.2

How reproducible:
always

Steps to Reproduce:
1. Use LDAP_MATCHING_RULE_IN_CHAIN by default.

Actual results:
Not used by default.

Expected results:
Used by default.


Additional info:
Comment 1 Pavel Stehlik 2016-11-16 03:53:41 EST 
Due to nature of the issue, QE please contact DEV in order to specify passing criteria.
Comment 2 Oved Ourfali 2016-12-14 04:02:06 EST 
All patches are merged.
Requires only building the package.
Comment 3 Martin Perina 2016-12-19 05:35:15 EST 
Included in ovirt-engine-extension-aaa-ldap-1.3.0
Comment 4 Gonza 2017-02-06 06:02:49 EST 
Verified with:
ovirt-engine-extension-aaa-ldap-1.3.1-0.0.master.20170115190508.gitda48d9d.el7.noarch

# grep -irn matching_rule /usr/share/ovirt-engine-extension-aaa-ldap/profiles/ad.properties 
23:# This profile is using LDAP_MATCHING_RULE_IN_CHAIN to retrieve groups of users.
37:# We do prefer this profile because using LDAP_MATCHING_RULE_IN_CHAIN has significant
45:vars.LDAP_MATCHING_RULE_BIT_AND = 1.2.840.113556.1.4.803
46:vars.LDAP_MATCHING_RULE_BIT_OR = 1.2.840.113556.1.4.804
47:vars.LDAP_MATCHING_RULE_IN_CHAIN = 1.2.840.113556.1.4.1941
118:search.ad-resolve-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})(member:${global:vars.LDAP_MATCHING_RULE_IN_CHAIN}:=${seq:_ad_dn_encoded})
130:search.ad-query-groups.search-request.filter = &(objectCategory=group)(groupType:${global:vars.LDAP_MATCHING_RULE_BIT_AND}:=${global:vars.ADS_GROUP_TYPE_SECURITY_ENABLED})${seq:filter}
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.