Bug 1570984 - [AAA] 389ds user times out or delays in login with more than 100 groups
Summary: [AAA] 389ds user times out or delays in login with more than 100 groups
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine-extension-aaa-ldap
Version: 4.1.10
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Ondra Machacek
QA Contact: Gonza
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-23 22:13 UTC by Javier Coscia
Modified: 2021-09-09 13:55 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-06-11 13:45:34 UTC
oVirt Team: Infra
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHV-43490 0 None None None 2021-09-09 13:55:55 UTC

Description Javier Coscia 2018-04-23 22:13:12 UTC
Description of problem:

Using a RHV configured with aaa-ldap plugin and RHDS as LDAP server, sometimes the user can't login receiving a timeout error, or it takes too much time to login. 
In RHDS logs, we see RHV doing one search to discover all groups that a certain user is a member of, and then it searches each group to check if the user is there. 

With a user that belongs to more than 100 groups this could time out or take a long time to login.


Version-Release number of selected component (if applicable):

rhevm-4.1.10.3-0.1.el7.noarch
ovirt-engine-extension-aaa-ldap-1.3.7-1.el7ev.noarch



How reproducible:

100 % with users which belongs to lots of groups in RHDS in customer environment.


Steps to Reproduce:
1. Setup 389ds AAA profile
2. Test connection with a user with lots of groups

Actual results:

Connection sometimes times out or takes to long to login

Expected results:

RHV should read the memberof attribute of the user only, no need to check under each group if the user is there

Comment 3 Ondra Machacek 2018-05-04 09:31:40 UTC
The way it works is that for every group we got return we search if it has any recurisve groups, so for example there is user with following structure:

 uid=user1
   |
   |- cn=group1
   |- cn=group2
       |
       |-cn=group21
          |
          |-cn=group211
   |- cn=group3

We query all 3 groups: group1, group2 and group3 if it has any nested group if it has we query even that nested group(int this example group21 and group211).

The issue is that the 389ds server answer takes about 3-4seconds, so for 100groups it's 300-400seconds to fetch all the groups. If it's OK for the customer to know only first level groups (int our example group1,group2,group3), they can add following line to the authn/authz properties files:

config.globals.recursive.capability_recursiveGroupResolution = true

Comment 4 Martin Perina 2018-05-04 11:21:36 UTC
Javier, LDAP server performance is bad, 3-4 seconds per each request on LDAP server is way too much. Aren't there any issues on LDAP server which could affect its performance?

Comment 5 Javier Coscia 2018-05-04 16:08:39 UTC
Thanks for the information Ondra. So if user is ok with only knowing the first parent group to which the ldap user belongs, they could set that line.

Not clear to me on which file this must be set. Would it be in both files (authn/authz) under /etc/ovirt-engine/extension.d/  ?

I assume no service should be restarted, user could do a test by trying to logging to the RHV UI again or with the ovirt-engine-extensions-tool through CLI.

@Martin, understood, will see if we can get more details on what's happening on the LDAP server side. Will wait on Ondra's response.

Thank you both

Comment 6 Ondra Machacek 2018-05-07 10:04:29 UTC
(In reply to Javier Coscia from comment #5)
> Thanks for the information Ondra. So if user is ok with only knowing the
> first parent group to which the ldap user belongs, they could set that line.
> 

Correct.

> Not clear to me on which file this must be set. Would it be in both files
> (authn/authz) under /etc/ovirt-engine/extension.d/  ?

Correct.

> 
> I assume no service should be restarted, user could do a test by trying to
> logging to the RHV UI again or with the ovirt-engine-extensions-tool through
> CLI.

Without restarting the ovirt-engine service, they can test it with ovirt-engine-extensions-tool. But in order to test it in UI they must restart ovirt-engine service.

> 
> @Martin, understood, will see if we can get more details on what's happening
> on the LDAP server side. Will wait on Ondra's response.
> 
> Thank you both

Comment 7 Martin Perina 2018-05-16 11:33:24 UTC
Have you got any response from customer for above suggestions?

Comment 8 Javier Coscia 2018-05-16 12:35:46 UTC
Nothing from customer side yet, will try another ping today to see if they were able to apply the suggestions and/or checked their ldap server.

Comment 12 Javier Coscia 2018-06-11 13:43:49 UTC
No response from customer, feel free to close this bz as insufficient_data, will re-open if needed.

Thanks for the help!

Comment 13 Franta Kust 2019-05-16 13:04:20 UTC
BZ<2>Jira Resync


Note You need to log in before you can comment on or make changes to this bug.