Opened 4 years ago
ldapplugin group lookup performance
|Reported by:||bpkroth@…||Owned by:||eblot|
The ldapplugin for trac provides group membership lookups in order to assign permissions - a nice feature. The trouble is that in order to do this it dumps an entire ldap database of groups, and then does another lookup and regex on all of them to see if a user is in the set. Not only is that really inefficient for large ldap dbs, it can also be incorrect for those (like AD) that impose limits on the number of entires they'll return.
Attached is a patch that fixes this by using an ldap search filter based on the settings the admin specified in the trac.ini. In my environment it results in .005s lookup time instead of ~10s. Tested with memberUid, member (eg: DNs) attrs, and openldap, and AD systems.
My perl isn't python, so the code could potentially be cleaned up.
Poke me if you have any questions.