Univention Bugzilla – Bug 54623
UDM REST API always connects to LDAP of the Primary Directory Node
Last modified: 2022-11-30 13:27:59 CET
The UDM REST API always opens a LDAP connection of the Primary Directory Node. This reduces its availability during updates and its performance in large installations. A positive argument for always connecting to the Primary is that there will be no difficult-to-handle effects from the replication lag after write/delete operations. In most scenarios the UDM REST API performance will not be limited by the LDAP performance. But in high performance scenarios with distributed UDM REST servers running more processes than there are CPU cores in the machine of the Primary Directory Node the performance of a single LDAP node becomes the bottleneck. Create a UCR configuration option for the UDM REST API to optionally connect for read operation (GET, HEAD) to the local LDAP host. The UCR default should be "off", so that in most scenarios the safer configuration (all connects go to the Primary) is active.
Actually it would be better to not add a boolean, but make the connection settings directly UCR configurable. Then the UDM REST API to LDAP connection could for example - use a service mesh, without having to modify the Python code. - Or it could be configured to connect to some Docker container, when slapd is containerized. - Or it could be used to connect to a separate database for integration tests, that can be deleted afterwards. There should be separate UCR settings for read and for write operations. Ideal may be the URI variant, as it fits into one UCRV and includes the information whether to use SSL or not: "ldap[s]://$HOST:$PORT" But I don't know if that works with the Python-LDAP library... or just use urlsplit()... A typical setup would be to only change the read connection to use the LDAP server on the local machine. That connection could be unencrypted. The write connection would usually not be modified. The default for both connections should be <unset>, meaning that both connections are to the primary.
The LDAP connections of the UDM REST API are now configurable via UCR: +[directory/manager/rest/ldap-connection/.*/uri] +Description[de]=Ein LDAP-URI, der für die Verbindung mit dem LDAP-Server verwendet wird. Platzhalter sind "user-read", "user-write", "machine-read", "machine-write". +Description[en]=A LDAP URI used for connecting to the LDAP server. Placeholders are "user-read", "user-write", "machine-read", "machine-write". +Type=str +Categories=service-udm + +[directory/manager/rest/ldap-connection/.*/start-tls] +Description[de]=Spezifiziert, ob STARTTLS für die LDAP-Verbindungstypen "user-read", "user-write", "machine-read", "machine-write" aktiviert werden soll (0=deaktiviert, 1=versuchen, 2=erzwingen). +Description[en]=Specifies if STARTTLS should be enabled (0=disabled, 1=try, 2=enforce) for the LDAP connection types "user-read", "user-write", "machine-read", "machine-write". +Type=int +Default=2 +Categories=service-udm + +[directory/manager/rest/ldap-connection/.*/binddn] +Description[de]=Gibt den binddn für die LDAP-Verbindungstypen "machine-read", "machine-write" an. +Description[en]=Specifies the binddn for the LDAP connection types "machine-read", "machine-write". +Type=str +Categories=service-udm + +[directory/manager/rest/ldap-connection/.*/password-file] +Description[de]=Gibt die Passwortdatei an, die das bind-Passwort für die LDAP-Verbindungstypen "machine-read", "machine-write" enthält. +Description[en]=Specifies the password file containing the bind password for the LDAP connection types "machine-read", "machine-write". +Type=str +Categories=service-udm univention-management-console.yaml 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations univention-management-console (12.0.13-4) 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations univention-directory-manager-rest.yaml 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations univention-directory-manager-rest (10.0.4-9) 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations univention-directory-manager-modules.yaml 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations univention-directory-manager-modules (15.0.13-25) 99e80b45056d | feat(udm-rest): separate configurable LDAP connections for read and write operations
Verified: * ucs-test-udm * ucs-test-udm-rest * repeat test with ucr set directory/manager/rest/ldap-connection/user-read/uri=ldap://localhost:7389/ * advisory
<https://errata.software-univention.de/#/?erratum=5.0x503> <https://errata.software-univention.de/#/?erratum=5.0x504> <https://errata.software-univention.de/#/?erratum=5.0x505>