Opened 7 years ago

#8650 new defect

ldapplugin group lookup performance

Reported by: bpkroth@… Owned by: Emmanuel Blot
Priority: normal Component: LdapPlugin
Severity: major Keywords:
Cc: Trac Release: 0.11


The ldapplugin for trac provides group membership lookups in order to assign permissions - a nice feature. The trouble is that in order to do this it dumps an entire ldap database of groups, and then does another lookup and regex on all of them to see if a user is in the set. Not only is that really inefficient for large ldap dbs, it can also be incorrect for those (like AD) that impose limits on the number of entires they'll return.

Attached is a patch that fixes this by using an ldap search filter based on the settings the admin specified in the trac.ini. In my environment it results in .005s lookup time instead of ~10s. Tested with memberUid, member (eg: DNs) attrs, and openldap, and AD systems.

My perl isn't python, so the code could potentially be cleaned up.

Poke me if you have any questions.

Thanks, Brian

Attachments (1)

group_lookups.diff (3.2 KB) - added by bpkroth@… 7 years ago.

Download all attachments as: .zip

Change History (1)

Changed 7 years ago by bpkroth@…

Attachment: group_lookups.diff added


Modify Ticket

Change Properties
Set your email in Preferences
as new The owner will remain Emmanuel Blot.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.