glassfish
  1. glassfish
  2. GLASSFISH-3509

LDAP performance issues: LDAPRealm.dynamicGroupSearch

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 9.0pe
    • Fix Version/s: not determined
    • Component/s: security
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      3,509

      Description

      Regarding class "com.sun.enterprise.security.auth.realm.ldap.LDAPRealm" revison
      1.6, I have 2 enhancement requests regarding LDAP performance:

      I was interested in the JAAS-LDAP Provider, when I noticed design glitches in
      handling dynamic ldap groups (groups that only have a memberURL attribute) that
      have a severe influence on ldap performance:

      1) Regarding: public static final String DYNAMIC_GROUP_FILTER =
      "(&(objectclass=groupofuniquenames)(objectclass=groupofurls))";

      note: The 2 asterisks "*" should be removed to allow faster directory searches
      on the objectclass attribute
      public static final String DYNAMIC_GROUP_FILTER =
      "(&(objectclass=groupofuniquenames)(objectclass=groupofurls))";

      second note: a groupofurl can be a standalone ldap objectclass, therefore the
      filter definition should be simplified:
      public static final String DYNAMIC_GROUP_FILTER = "(objectclass=groupofurls)";

      2) in the member method "dynamicGroupSearch(...)" regarding code line "String
      filter = DYNAMIC_GROUP_FILTER;":
      Unfortunately the ctx.search is done using this bad designed ldap filter, which
      is actually equivalent to "(check all groups you can find in the ldap
      directory)", this really slows down your application, if you have many
      groupofurls in your ldap directory, but are only interested in evaluation of a
      few of them.

      note: the directory may contain a lot of groupofurls of other applications as
      well, even in the same tree branch. groups you may not be interested in your
      application. but the current code will evaluate them all.

      For practical ldap runtime performance with "groupofurls" never ever search for
      all groupofurls, only check those groups you really need for an application,
      unfortunately this requires a property that names the groups you want to be checked:

      to do this, the JAAS provider needs to get a property value from the application
      that defines an appspecific group-searchfilter:
      good filter example:
      filter=(&(objectclass=groupofurls)(|(cn=somegroup1)(cn=somegroup2)(cn=somegroup3)))
      that would states 3 example groups, that might be relevant for an example
      application, instead of
      bad filter example: filter=(objectclass=groupofurls))

      An application that really really wants all groups checked could do this:
      filter=(&(objectclass=groupofurls)(|(cn=*)))
      (this just simplifies coding: in all cases you have some parameter to search
      with a more restricted ldapfilter)

        Activity

        Hide
        Shing Wai Chan added a comment -

        reassigned to raharsha

        Show
        Shing Wai Chan added a comment - reassigned to raharsha
        Hide
        raharsha added a comment -

        Will work on this.

        Show
        raharsha added a comment - Will work on this.
        Hide
        Tom Mueller added a comment -

        Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

        Show
        Tom Mueller added a comment - Bulk update to change fix version to "not determined" for all issues still open but with a fix version for a released version.

          People

          • Assignee:
            raharsha
            Reporter:
            alfish
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated: