Opened 4 years ago

#8650 new defect

ldapplugin group lookup performance

Reported by: bpkroth@… Owned by: eblot
Priority: normal Component: LdapPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11


The ldapplugin for trac provides group membership lookups in order to assign permissions - a nice feature. The trouble is that in order to do this it dumps an entire ldap database of groups, and then does another lookup and regex on all of them to see if a user is in the set. Not only is that really inefficient for large ldap dbs, it can also be incorrect for those (like AD) that impose limits on the number of entires they'll return.

Attached is a patch that fixes this by using an ldap search filter based on the settings the admin specified in the trac.ini. In my environment it results in .005s lookup time instead of ~10s. Tested with memberUid, member (eg: DNs) attrs, and openldap, and AD systems.

My perl isn't python, so the code could potentially be cleaned up.

Poke me if you have any questions.

Thanks, Brian

Attachments (1)

group_lookups.diff (3.2 KB) - added by bpkroth@… 4 years ago.

Download all attachments as: .zip

Change History (1)

Changed 4 years ago by bpkroth@…


Add Comment

Modify Ticket

as new The owner will remain eblot.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.