Red Hat Bugzilla – Bug 990576
LDAP Integration needs to handle large numbers of ldap groups better.
Last modified: 2014-09-04 11:01:24 EDT
Description of problem:
After enabling RFC 2696, RHQ needs to be modified to:
- throttle the number of LDAP groups returned to the UI based on a)total number of results parsedb)too many overall page requests made
- give better feedback to the RHQ administrator about how to modify a) and b)
- fail faster/more reliably with useful information
Version-Release number of selected component (if applicable):
3.2.x Alpha builds/master builds
Steps to Reproduce:
1. Configure RHQ + LDAP integration
2. modify/define and LDAP group filter to return 20k groups.
3. Go to the groups page for a role and attempt to browse the groups available for integration.
i)Slow results and intermittent errors.
ii)Ability for RHQ admin to run with page sizes that are much to small and cause ui perf issues.
- better feedback from the RHQ+LDAP integration that current settings need to be improved
- more graceful failure when query results are simply too large.
See BZ 964250 for more details on this fix.
Updating the bug for few observations:
Created 20k groups on AD server. Observed that the search for LDAP groups (Ex: Search that returns 20k results - LDAP group with names ldapgroup1 ..ldapgroup20000) is a bit slow.
There is also a browser warning message about unresponsive script if large LDAP groups are assigned to the role. I opened a new bug#993070 for the same.
Given that UI responsiveness issues while viewing available groups can occur during any of the following conditions:
- external ldap server does not support RFC 2696(query paging) but return large result set
- external ldap server does support query paging, but has page size set too small
- poor ldap group filter definition. External LDAP topologies and attributes can legitimately vary and performance issues are hard to spot without feedback.
- poor network performance between the RHQ/JON server and the external LDAP server
- large number of ldap servers, with varying styles and capabilities of supporting ldap group definitions
the fix/enhancement was to give the LDAP Administrator/integrator more interactive and instantaneous feedback about the progress of the LDAP group query and advise them of how they could address the issues. With this being said the unresponsive script error can still occur.
The fix is applied to master with the following commits:
Moving this to MODIFIED for testing in the next build.
Moving this to ON_QA for testing in ER1 and greater brew builds.
Verified on Version : 3.2.0.ER5 Build Number : 2cb2bc9:225c796
The role assignment UI displays te LDAP groups search query progress and suggestion as in attached screenshot. (Ex: Searched for more than 20000 LDAP groups shows the query progress with attention mark and provides suggestion to modify the group search filter to return fewer than 20000 LDAP groups.
The UI also displays read only LDAP System settings to view the current group search filter and query page size.
Please refer the screenshot.
Created attachment 822388 [details]
*** Bug 993070 has been marked as a duplicate of this bug. ***