Bug 47777 – Password modules: Improve performance / LDAP searches

Bug 47777 - Password modules: Improve performance / LDAP searches


Summary:	Password modules: Improve performance / LDAP searches

Status:	CLOSED WONTFIX

Product:	UCS@school
Classification:	Unclassified
Component:	UMC - Password reset
Version:	UCS@school 4.3
Hardware:	Other other

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS@school maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-09-10 11:56 CEST by Michael Grandjean
Modified:	2023-06-12 15:39 CEST (History)
CC List:	2 users (show)

See Also:	48390 47885
What kind of report is it?:	Bug Report
What type of bug is this?:	4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.137
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2018-09-10 11:56:56 CEST

root@master:~# univention-app info
UCS: 4.3-1 errata229
Installed: dhcp-server=12.0 samba4=4.7 self-service=3.0 ucsschool=4.3 v4
Upgradable:


When opening the UCS@school module "Password (students)", it takes very long to display all users, especially for teachers (more expensive LDAP ACLs). For a School-OU with 1200+ students I measured 34 seconds until all students showed up in the grid. According to the logs, a lot of LDAP searches happen.

1. 11:22:31.346: First we see a search for all students of this school, but narrowed down via the LDAP base - not sure about school-spanning users here?
> filter=(&(cn=*)(|(&(objectClass=univentionGroup))(&(objectClass=sambaGroupMapping)))) base=cn=schueler,cn=groups,ou=school1,dc=example,dc=org

2. 11:22:35.805: Then we see a second search for "pwdAccountLockedTime", this time with a complex LDAP filter and filtered via "ucsschoolSchool=school1". This takes more than 13 seconds until the next log entry.

3. 11:22:49.494: Again a search for "pwdAccountLockedTime", but this time with "base=cn=schueler,cn=users,ou=school1,dc=example,dc=org". Results seem to take about 12 seconds.

4. 11:23:02.464: Then there are a pair of searches for a group DN, e.g.:
> uldap.search filter=(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=uid=some.student,cn=schueler,cn=users,ou=school1,dc=example,dc=org)) base= scope=sub attr=['dn'] unique=0 required=0 timeout=-1 sizelimit=0
> uldap.search filter=(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=5121)) base= scope=sub attr=['dn'] unique=0 required=0 timeout=-1 sizelimit=0
To me this looks like checking / comparing the primary group. However, this pair of LDAP searches is done for every single user (-> 2400+ ldap searches in this case).  Overall they take another 7 seconds.

5. 11:23:09.421: UMCP RESPONSE is send, the users are shown in the grid.

I will attach the complete log of /var/log/univention/management-console-module-schoolusers.log

Comment 2 Jan-Luca Kiok

2023-06-12 15:32:12 CEST

This issue has been filed against UCS@school 4.3 or earlier.

UCS 4.3 is out of maintenance and UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.