Bug 990576 - LDAP Integration needs to handle large numbers of ldap groups better.
LDAP Integration needs to handle large numbers of ldap groups better.
Product: JBoss Operations Network
Classification: JBoss
Component: UI (Show other bugs)
JON 3.2
Unspecified Unspecified
unspecified Severity high
: ER01
: JON 3.2.0
Assigned To: Simeon Pinder
Mike Foley
: 993070 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2013-07-31 09:30 EDT by Simeon Pinder
Modified: 2014-09-04 11:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-02 15:36:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Screenshot (51.53 KB, image/png)
2013-11-11 07:50 EST, Sunil Kondkar
no flags Details

  None (edit)
Description Simeon Pinder 2013-07-31 09:30:16 EDT
Description of problem:
After enabling RFC 2696, RHQ needs to be modified to:
- throttle the number of LDAP groups returned to the UI based on a)total number of results parsedb)too many overall page requests made
- give better feedback to the RHQ administrator about how to modify a) and b)
- fail faster/more reliably with useful information

Version-Release number of selected component (if applicable):
3.2.x Alpha builds/master builds

How reproducible:

Steps to Reproduce:
1. Configure RHQ + LDAP integration
2. modify/define and LDAP group filter to return 20k groups.
3. Go to the groups page for a role and attempt to browse the groups available for integration.

Actual results:
i)Slow results and intermittent errors.
ii)Ability for RHQ admin to run with page sizes that are much to small and cause ui perf issues.

Expected results:
- better feedback from the RHQ+LDAP integration that current settings need to be improved
- more graceful failure when query results are simply too large.

Additional info:
See BZ 964250 for more details on this fix.
Comment 1 Sunil Kondkar 2013-08-05 11:03:48 EDT
Updating the bug for few observations:

Created 20k groups on AD server. Observed that the search for LDAP groups (Ex: Search that returns 20k results - LDAP group with names ldapgroup1 ..ldapgroup20000) is a bit slow.
There is also a browser warning message about unresponsive script if large LDAP groups are assigned to the role. I opened a new bug#993070 for the same.
Comment 2 Simeon Pinder 2013-08-13 17:32:03 EDT
Given that UI responsiveness issues while viewing available groups can occur during any of the following conditions:

- external ldap server does not support RFC 2696(query paging) but return large result set
- external ldap server does support query paging, but has page size set too small
- poor ldap group filter definition. External LDAP topologies and attributes can legitimately vary and performance issues are hard to spot without feedback.
- poor network performance between the RHQ/JON server and the external LDAP server
- large number of ldap servers, with varying styles and capabilities of supporting ldap group definitions
- etc...  

the fix/enhancement was to give the LDAP Administrator/integrator more interactive and instantaneous feedback about the progress of the LDAP group query and advise them of how they could address the issues.  With this being said the unresponsive script error can still occur.

The fix is applied to master with the following commits:

Moving this to MODIFIED for testing in the next build.
Comment 3 Simeon Pinder 2013-09-24 11:31:23 EDT
Moving this to ON_QA for testing in ER1 and greater brew builds.
Comment 4 Sunil Kondkar 2013-11-11 07:48:38 EST
Verified on Version : 3.2.0.ER5 Build Number :	2cb2bc9:225c796

The role assignment UI displays te LDAP groups search query progress and suggestion as in attached screenshot. (Ex: Searched for more than 20000 LDAP groups shows the query progress with attention mark and provides suggestion to modify the group search filter to return fewer than 20000 LDAP groups.

The UI also displays read only LDAP System settings to view the current group search filter and query page size.
Please refer the screenshot.
Comment 5 Sunil Kondkar 2013-11-11 07:50:10 EST
Created attachment 822388 [details]
Comment 7 Simeon Pinder 2014-09-04 11:01:24 EDT
*** Bug 993070 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.