Bug 58084 - Long Login Time for Users with Many Groups in UMC
Summary: Long Login Time for Users with Many Groups in UMC
Status: NEW
Alias: None
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
Version: UCS 5.0
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: UMC maintainers
QA Contact: UMC maintainers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-03-18 12:30 CET by Finn David
Modified: 2025-08-25 14:38 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2025030321000975
Bug group (optional): UCS Performance
Customer ID: 39720
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Finn David univentionstaff 2025-03-18 12:30:45 CET 
#
# Environment
#

UCS: 5.0-9 errata1213
Installed: keycloak=25.0.6-ucs4 office365=5.11 opsi=4.3.0.15-ucs5 samba4=4.16 self-service=5.0 self-service-backend=5.0
ucsschool=5.0 v6 4.4/ucsschool-apis=1.1.0 4.4/ucsschool-kelvin-rest-api=1.10.3


#
# Description
#

When a user with many groups logs into the Univention Management Console (UMC), the permissions for each group are queried
via `uldap.getPolicies`. This results in a significantly increased login duration for users associated with numerous groups.
A user with ~2000 groups needs ~18 seconds to login: https://pastebin.knut.univention.de/VGTEorUu/+inline?


#
# Workaround
#

A temporary workaround is to modify the `reload` function in `univention/management/console/acl.py` so that ACLs are always
read from a file instead of being queried from LDAP:

    def reload(self, lo=None):
        super(LDAP_ACLs, self).reload()

#        if lo:
        if lo and False:
            self._read_from_ldap(lo)
            self._write_to_file(self.username)
        else:
            # read ACLs from file
            self._read_from_file(self.username)

However, this workaround has the downside that new users will encounter an error when attempting to load their ACLs.
The following error appears in `management-console-server.log`:

( PROCESS ) : Could not load ACLs of 'test42': [Errno 2] No such file or directory: '/var/cache/univention-management-console/acls/test42'


#
# Proposed Solution
#

A sustainable solution should be developed to ensure that the login duration is not unnecessarily extended due to ACL queries.
Currently, permission checks are performed for each group. It may be possible to limit these checks in advance based on specific
group types or object classes to reduce the number of queries and improve performance.
Comment 1 Daniel Tröder univentionstaff 2025-03-19 08:50:33 CET 
IMHO, the product should not be optimized for users with 2000 groups. It's just too far away from typical scenarios.

Instead, IMHO, a project solution should be found. If that requires an extension point in the product (e.g., loading ACLs from a cache), that'd be fine.
Comment 2 Finn David univentionstaff 2025-03-19 13:28:16 CET 
I agree, 2000 groups is a bit stretched. This number was picked for debugging on a test system, to better understand
the effects of group memberships on the login duration.

In this particular case, the customer has users with ~250 groups which results in a login duration of ~7 seconds
(compared to ~0,5 seconds for a typical user with a handful of groups), which is an interference to their daily work.