Bug 56348 – Low performance of UDM move operations due to ldap.MOD_REPLACE in the context of large groups

Bug 56348 - Low performance of UDM move operations due to ldap.MOD_REPLACE in the context of large groups


Summary:	Low performance of UDM move operations due to ldap.MOD_REPLACE in the context...

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UDM (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-4-errata
Assigned To:	Johannes Königer
QA Contact:	Florian Best

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2023-07-25 13:35 CEST by Johannes Königer
Modified:	2023-08-02 16:06 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.034
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	UCS Performance
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Königer

2023-07-25 13:35:19 CEST

This is about the performance of a move operation of a user, for example:

```
udm users/user move --dn='uid=aaa,cn=schueler,cn=users,ou=school1,dc=school,dc=test' --position='cn=schueler,cn=users,ou=school2,dc=school,dc=test'
```

This took 4 to 7 seconds on a primary within a large environment (2000 user OUs, total of 300000 users) which was a lot compared to adding/removing users which takes less than a second.

The moved user was member of `Domain Users school2,cn=groups,ou=school2,dc=school,dc=test` and `cn=schueler-school2,cn=groups,ou=school2,dc=school,dc=test` which have around 2000 other members each. When moving position of the user in the DIT, this results, due to method `_move_in_groups` https://git.knut.univention.de/univention/ucs/-/blob/5.0-4/management/univention-directory-manager-modules/modules/univention/admin/handlers/__init__.py#L1510-1520
in a _replacement_ of the `uniqueMember` attribute - so all 2000 attributes are deleted and added again. Additionally the list comprehension generates a lot of overhead.

One already knows the move operation, so why not just delete the single attribute that corresponds to the moved user? Both the list comprehension and the modify will only take a fraction of the current time then, if my understanding of `ldapmodify` is correct.

I'll post a MR as a suggestion in a minute.

Comment 1 Johannes Königer

2023-07-25 13:50:01 CEST

See MR https://git.knut.univention.de/univention/ucs/-/merge_requests/845 for a suggestion, but please keep in mind that I have not that much experience with UDM/uldap internals.

Comment 2 Johannes Königer

2023-07-29 08:39:16 CEST

https://git.knut.univention.de/univention/ucs/-/merge_requests/845 merged with the following commit:

univention-directory-manager-modules.yaml
bb4aeae7f9bb | fix(udm): Improve UDM move performance for users and computers

univention-directory-manager-modules (15.0.24-14)
bb4aeae7f9bb | fix(udm): Improve UDM move performance for users and computers

No behavior change expected, a move is now just faster.

Comment 3 Florian Best

2023-07-31 13:23:50 CEST

OK: Code review
OK: functional test: group memberships are still preserved when moving users
OK: error handling
OK: advisory
I did not perform performance comparisons (in my small system the move took equal time). but from code review it looks promising.

Comment 4 Christian Castens

2023-08-02 16:06:28 CEST

<https://errata.software-univention.de/#/?erratum=5.0x756>