Univention Bugzilla – Bug 54068
Add an offline LDAP cache
Last modified: 2021-11-22 15:06:42 CET
For faster lookups, especially considering expensive ACLs. Doing lookups via LDAP can be especially annoying for the "groups in groups" feature that some software provides. Instead we should implement a cache that stores that information on disk, using python-lmdb or python-gdbm or similar. We should feed the cache from a listener and then provide a convenience function for other software to use: users_for_group groups_for_user After some research, it seems easier to do with python-gdbm as python-lmdb has some issues in UCS 4.4 when used embedded (as in the listener) and it is not present in UCS 5.0.
univention-group-membership-cache.yaml 72079b5df7d2 | Bug #54068: YAML 8709d3bb42a4 | Bug #54068: Add an offline LDAP cache univention-group-membership-cache (1.0.0-1) 72079b5df7d2 | Bug #54068: YAML 8709d3bb42a4 | Bug #54068: Add an offline LDAP cache ucs-test (9.0.7-75) f85c29f04f84 | Bug #54068: Changelog ucs-test (9.0.7-74) 8709d3bb42a4 | Bug #54068: Add an offline LDAP cache Certain LDAP attributes are stored in an offline cache. Convenience Python methods exist: from univention.ldap_cache.frontend import users_in_group, groups_for_user GDBM cache files can be found here: /usr/share/univention-group-membership-cache/caches/ CLI can be found here: /usr/share/univention-group-membership-cache/univention-ldap-cache Listeners can be found here: /usr/lib/univention-directory-listener/system/ldap-cache-baa04df67e7af6bb0769f5cb7e72dba9.py
UCS already provides a flat-file cache for groups that is used by nss: base/univention-pam/ldap-group-to-file.py Will this library be used in the future to produce it? IMHO that'd be good, to reduce duplicate code and it would also compensate the overall code growth by this new component.
What I tested: package install: OK package removal: OK package reinstall: OK cache rebuild: OK add-cache: OK rm-cache: OK query cache: OK users_in_groups: OK groups_for_users: OK db permissions: OK creating new groups/users: OK nested groups: OK renaming users in groups and nested groups: OK group with nested group of itself: OK uniqueMembers entries with different upper/lowercase differences: OK Tests: ~OK - failed today,but that was an issue with the new tests itself that I fixed, they work manually. code review: OK yaml: OK (i updated the package version) no documentation (was discussed, documentation was omitted for now): OK Verified
<https://errata.software-univention.de/#/?erratum=4.4x1101>