First Last Prev Next    This bug is not in your last search results.
Bug 54068 - Add an offline LDAP cache
Add an offline LDAP cache
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-8-errata
Assigned To: Dirk Wiesenthal
Julia Bremer
:
Depends on:
Blocks: 54119
  Show dependency treegraph
 
Reported: 2021-11-15 23:03 CET by Dirk Wiesenthal
Modified: 2021-11-22 15:06 CET (History)
1 user (show)

See Also:
What kind of report is it?: Feature Request
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2021-11-15 23:03:09 CET 
For faster lookups, especially considering expensive ACLs.

Doing lookups via LDAP can be especially annoying for the "groups in groups" feature that some software provides.

Instead we should implement a cache that stores that information on disk, using python-lmdb or python-gdbm or similar.

We should feed the cache from a listener and then provide a convenience function for other software to use:

users_for_group
groups_for_user

After some research, it seems easier to do with python-gdbm as python-lmdb has some issues in UCS 4.4 when used embedded (as in the listener) and it is not present in UCS 5.0.
Comment 1 Dirk Wiesenthal univentionstaff 2021-11-15 23:42:43 CET 
univention-group-membership-cache.yaml
72079b5df7d2 | Bug #54068: YAML
8709d3bb42a4 | Bug #54068: Add an offline LDAP cache

univention-group-membership-cache (1.0.0-1)
72079b5df7d2 | Bug #54068: YAML
8709d3bb42a4 | Bug #54068: Add an offline LDAP cache

ucs-test (9.0.7-75)
f85c29f04f84 | Bug #54068: Changelog

ucs-test (9.0.7-74)
8709d3bb42a4 | Bug #54068: Add an offline LDAP cache



Certain LDAP attributes are stored in an offline cache.

Convenience Python methods exist:

    from univention.ldap_cache.frontend import users_in_group, groups_for_user

    
GDBM cache files can be found here: /usr/share/univention-group-membership-cache/caches/
CLI can be found here: /usr/share/univention-group-membership-cache/univention-ldap-cache
Listeners can be found here: /usr/lib/univention-directory-listener/system/ldap-cache-baa04df67e7af6bb0769f5cb7e72dba9.py
Comment 2 Daniel Tröder univentionstaff 2021-11-16 08:27:36 CET 
UCS already provides a flat-file cache for groups that is used by nss: base/univention-pam/ldap-group-to-file.py

Will this library be used in the future to produce it?
IMHO that'd be good, to reduce duplicate code and it would also compensate the overall code growth by this new component.
Comment 3 Julia Bremer univentionstaff 2021-11-18 15:58:56 CET 
What I tested:

package install: OK
package removal: OK
package reinstall: OK
cache rebuild: OK
add-cache: OK
rm-cache: OK
query cache: OK
users_in_groups: OK
groups_for_users: OK
db permissions: OK
creating new groups/users: OK
nested groups: OK
renaming users in groups and nested groups: OK
group with nested group of itself: OK
uniqueMembers entries with different upper/lowercase differences: OK
Tests: ~OK - failed today,but that was an issue with the new tests itself that I fixed, they work manually. 
code review: OK
yaml: OK (i updated the package version)

no documentation (was discussed, documentation was omitted for now): OK

Verified
First Last Prev Next    This bug is not in your last search results.