Description of problem: Using a RHV configured with aaa-ldap plugin and RHDS as LDAP server, sometimes the user can't login receiving a timeout error, or it takes too much time to login. In RHDS logs, we see RHV doing one search to discover all groups that a certain user is a member of, and then it searches each group to check if the user is there. With a user that belongs to more than 100 groups this could time out or take a long time to login. Version-Release number of selected component (if applicable): rhevm-4.1.10.3-0.1.el7.noarch ovirt-engine-extension-aaa-ldap-1.3.7-1.el7ev.noarch How reproducible: 100 % with users which belongs to lots of groups in RHDS in customer environment. Steps to Reproduce: 1. Setup 389ds AAA profile 2. Test connection with a user with lots of groups Actual results: Connection sometimes times out or takes to long to login Expected results: RHV should read the memberof attribute of the user only, no need to check under each group if the user is there
The way it works is that for every group we got return we search if it has any recurisve groups, so for example there is user with following structure: uid=user1 | |- cn=group1 |- cn=group2 | |-cn=group21 | |-cn=group211 |- cn=group3 We query all 3 groups: group1, group2 and group3 if it has any nested group if it has we query even that nested group(int this example group21 and group211). The issue is that the 389ds server answer takes about 3-4seconds, so for 100groups it's 300-400seconds to fetch all the groups. If it's OK for the customer to know only first level groups (int our example group1,group2,group3), they can add following line to the authn/authz properties files: config.globals.recursive.capability_recursiveGroupResolution = true
Javier, LDAP server performance is bad, 3-4 seconds per each request on LDAP server is way too much. Aren't there any issues on LDAP server which could affect its performance?
Thanks for the information Ondra. So if user is ok with only knowing the first parent group to which the ldap user belongs, they could set that line. Not clear to me on which file this must be set. Would it be in both files (authn/authz) under /etc/ovirt-engine/extension.d/ ? I assume no service should be restarted, user could do a test by trying to logging to the RHV UI again or with the ovirt-engine-extensions-tool through CLI. @Martin, understood, will see if we can get more details on what's happening on the LDAP server side. Will wait on Ondra's response. Thank you both
(In reply to Javier Coscia from comment #5) > Thanks for the information Ondra. So if user is ok with only knowing the > first parent group to which the ldap user belongs, they could set that line. > Correct. > Not clear to me on which file this must be set. Would it be in both files > (authn/authz) under /etc/ovirt-engine/extension.d/ ? Correct. > > I assume no service should be restarted, user could do a test by trying to > logging to the RHV UI again or with the ovirt-engine-extensions-tool through > CLI. Without restarting the ovirt-engine service, they can test it with ovirt-engine-extensions-tool. But in order to test it in UI they must restart ovirt-engine service. > > @Martin, understood, will see if we can get more details on what's happening > on the LDAP server side. Will wait on Ondra's response. > > Thank you both
Have you got any response from customer for above suggestions?
Nothing from customer side yet, will try another ping today to see if they were able to apply the suggestions and/or checked their ldap server.
No response from customer, feel free to close this bz as insufficient_data, will re-open if needed. Thanks for the help!
BZ<2>Jira Resync