Univention Bugzilla – Bug 54853
udm users/user group membership resolution performance optimization
Last modified: 2022-06-27 18:55:00 CEST
Every open() of a users/user object does 2 LDAP queries to resolve the group memberships and the primary group membership. Search for group memberships: > File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1358, in _load_groups > self['groups'] = [x.decode('UTF-8') if six.PY2 else x for x in self.lo.searchDn(filter=filter_format(u'(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=%s))', [self.dn]))] → Can be optimized by just using the values from the "memberOf" attribute. > File "/usr/lib/python3/dist-packages/univention/admin/handlers/users/user.py", line 1364, in _load_groups > primaryGroupResult = self.lo.searchDn(filter=filter_format(u'(&(cn=*)(|(objectClass=posixGroup)(objectClass=sambaGroupMapping))(gidNumber=%s))', [primaryGroupNumber])) → Can be optimized by adding a simple cache which stores the gidNumber → primaryGroup-DN mapping for a short time.
Patch in MR: https://git.knut.univention.de/univention/ucs/-/merge_requests/417
There is different behavior with the patch: The first search uses the ACL's of the current user while the memberOf attribute does not evaluate ACL's of the user and inserts all groups. >>> set(x.decode('UTF-8') for x in a.get(dn, ['memberOf'])['memberOf']) - set(lo.searchDn(filter=filter_format(u'(&(cn=*)(|(objectClass=univentionGroup)(objectClass=sambaGroupMapping))(uniqueMember=%s))', [dn]))) {'cn=foo,cn=schueler,cn=groups,ou=abc,dc=base',} This might cause follow up errors when one iterates over the groups without noObject error handling.
1. The primary group memberships are now cached. 2. The "cn=*" has been removed from both LDAP filters. 3. the memberOf idea has NOT been implemented because of comment 3. 4. a preparation for idea 3 has been added to the UMC UDM module - this belongs to Bug #54883 but has been committed with the wrong commit message. univention-management-console-module-udm.yaml 230de4415975 | Bug #54853: make sure all attributes potentially used by the UDM modules are fetched univention-management-console-module-udm (10.0.1-27) 230de4415975 | Bug #54853: make sure all attributes potentially used by the UDM modules are fetched univention-directory-manager-modules.yaml c3844de736cd | Bug #54853: improove speed when fetching group memberships univention-directory-manager-modules (15.0.11-53) c3844de736cd | Bug #54853: improove speed when fetching group memberships univention-directory-manager-modules (15.0.11-52) a98a44007e07 | Bug #54853: remove cn=* from LDAP filter for groups 141d89b5e73a | Bug #54853: refactor LDAP caching c516c7f59c91 | Bug #54853: cache primary group membership DNs Merged to UCS 5.0-2: univention-management-console-module-udm (10.0.2-1) e5c74a385141 | Bug #54853: make sure all attributes potentially used by the UDM modules are fetched univention-directory-manager-modules (15.0.12-2) 6595cc6f0d5a | Bug #54853: improove speed when fetching group memberships 8cc70e020a7f | Bug #54853: remove cn=* from LDAP filter for groups 681f2eff9528 | Bug #54853: refactor LDAP caching f5c3036441fa | Bug #54853: cache primary group membership DNs
Cache: Works TTL: Works Tests: OK YAML: OK
I added another commit: univention-directory-manager-modules (15.0.13-1) 13b20009030b | Bug #54853: don't cache not found group memberships in case the group was not yet created or no permissions to read it exitst. Otherwise followup logic in open() will set the primary group to "Domain Users". See Bug #42080.
Manual tests: OK Auto tests: No regressions found
<https://errata.software-univention.de/#/?erratum=5.0x341> <https://errata.software-univention.de/#/?erratum=5.0x342>