| Summary: | LdapLoginModule#getUserRolesByDn fails when user is in a very large number of groups | ||
|---|---|---|---|
| Product: | [RT] Jetty | Reporter: | Bill Higgins <billhigg> |
| Component: | server | Assignee: | Jesse McConnell <jesse.mcconnell> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | CC: | janb, jetty-inbox |
| Version: | unspecified | ||
| Target Milestone: | 7.5.x | ||
| Hardware: | All | ||
| OS: | Mac OS X - Carbon (unsup.) | ||
| Whiteboard: | |||
|
Description
Bill Higgins
I am no LDAP expert but a wild guess is that perhaps you could ask the LDAP server to do more work up front but reduce the total work by running a set of queries where you send in each role that you care about to see if the user is a member. E.g. today it seems to be asking: "Tell me all of Bill's roles" ... which in my case seems to be about 500 and is making Jetty unhappy. Perhaps instead the logic could be like this: "OK, web.xml cares about the 'admin' role and the 'user' role." " - is Bill in the 'admin' role?" " - is Bill in the 'user' role?" Just a thought. Bill, This isn't an easy fix from a cursory examination of the code. At issue is that on login we construct an object that contains the basic information we need from the remote data source and the only api we use off of this UserInfo object is at the List level...so getRoleNames() returning everything known about the user. This makes sense because we can only really mark the user as 'authenticated' when we know we can get all information from the authorities...if we refactored this api would would move authentication and authorization from a one time hit to a more lazy approach that would result in new and exciting ways to fail (i authenticated but now that the webpage is getting loaded we need to check for role A but alas, the ldap is down now and we can't check...what do we do? But I would be open to figuring out how to make this populating of the roles more bullet proof for your use case...are you getting any sort of timeout exception or anything when this lock up occurs? I am not an ldap wiz but I did write this login module (least I think I did...been a while)...I'll take a bit of a look to see if I have any knobs I can turn here while I wait for your response. Bill, I just checked with the experts over at Apache Directory and they said that what we are doing ought to work fine for your use case. What backend ldap server is this and do you have any stack traces or anything like that available? If this is easily reproducible and isn't giving you much feedback on what is wrong you could either take a series of thread dumps to see what is taking up the time or better yet would be to profile with something like yourkit so you can easily see what thread is taking up the time and what it is up to.. let me know your findings! jesse Hi Jesse, thanks for your response. I will work on getting the information you asked for and report back. It may take a week or two because I have to track down the right people. Bill, do you have an update on this? Otherwise I might just close it and you can reopen should you dig up more information in the future. Hi Jesse, I am unable to do additional investigation at this point and will stick with my workaround. I agree with your suggestion of closing it and I will reopen if I get additional supporting data. Bill, ok good deal, good luck and if you need something you know where we are cheers, jesse |