backport of commit 4e963c4c5bbd00d4150df1bc0d140bba43feb407 (#22704)
Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
This commit is contained in:
parent
cb0784b87f
commit
a7f3af73ed
|
@ -0,0 +1,3 @@
|
||||||
|
```release-note:improvement
|
||||||
|
auth/ldap: improved login speed by adding concurrency to LDAP token group searches
|
||||||
|
```
|
|
@ -14,6 +14,7 @@ import (
|
||||||
"net"
|
"net"
|
||||||
"net/url"
|
"net/url"
|
||||||
"strings"
|
"strings"
|
||||||
|
"sync"
|
||||||
"text/template"
|
"text/template"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -478,6 +479,11 @@ func sidBytesToString(b []byte) (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) {
|
func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) {
|
||||||
|
var wg sync.WaitGroup
|
||||||
|
var lock sync.Mutex
|
||||||
|
taskChan := make(chan string)
|
||||||
|
maxWorkers := 10
|
||||||
|
|
||||||
result, err := conn.Search(&ldap.SearchRequest{
|
result, err := conn.Search(&ldap.SearchRequest{
|
||||||
BaseDN: userDN,
|
BaseDN: userDN,
|
||||||
Scope: ldap.ScopeBaseObject,
|
Scope: ldap.ScopeBaseObject,
|
||||||
|
@ -498,37 +504,53 @@ func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection,
|
||||||
|
|
||||||
userEntry := result.Entries[0]
|
userEntry := result.Entries[0]
|
||||||
groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups")
|
groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups")
|
||||||
|
|
||||||
groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues))
|
groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues))
|
||||||
|
|
||||||
|
for i := 0; i < maxWorkers; i++ {
|
||||||
|
wg.Add(1)
|
||||||
|
go func() {
|
||||||
|
defer wg.Done()
|
||||||
|
|
||||||
|
for sid := range taskChan {
|
||||||
|
groupResult, err := conn.Search(&ldap.SearchRequest{
|
||||||
|
BaseDN: fmt.Sprintf("<SID=%s>", sid),
|
||||||
|
Scope: ldap.ScopeBaseObject,
|
||||||
|
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
|
||||||
|
Filter: "(objectClass=*)",
|
||||||
|
Attributes: []string{
|
||||||
|
"1.1", // RFC no attributes
|
||||||
|
},
|
||||||
|
SizeLimit: 1,
|
||||||
|
})
|
||||||
|
if err != nil {
|
||||||
|
c.Logger.Warn("unable to read the group sid", "sid", sid)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
if len(groupResult.Entries) == 0 {
|
||||||
|
c.Logger.Warn("unable to find the group", "sid", sid)
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
|
lock.Lock()
|
||||||
|
groupEntries = append(groupEntries, groupResult.Entries[0])
|
||||||
|
lock.Unlock()
|
||||||
|
}
|
||||||
|
}()
|
||||||
|
}
|
||||||
|
|
||||||
for _, sidBytes := range groupAttrValues {
|
for _, sidBytes := range groupAttrValues {
|
||||||
sidString, err := sidBytesToString(sidBytes)
|
sidString, err := sidBytesToString(sidBytes)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
c.Logger.Warn("unable to read sid", "err", err)
|
c.Logger.Warn("unable to read sid", "err", err)
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
taskChan <- sidString
|
||||||
groupResult, err := conn.Search(&ldap.SearchRequest{
|
|
||||||
BaseDN: fmt.Sprintf("<SID=%s>", sidString),
|
|
||||||
Scope: ldap.ScopeBaseObject,
|
|
||||||
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
|
|
||||||
Filter: "(objectClass=*)",
|
|
||||||
Attributes: []string{
|
|
||||||
"1.1", // RFC no attributes
|
|
||||||
},
|
|
||||||
SizeLimit: 1,
|
|
||||||
})
|
|
||||||
if err != nil {
|
|
||||||
c.Logger.Warn("unable to read the group sid", "sid", sidString)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
if len(groupResult.Entries) == 0 {
|
|
||||||
c.Logger.Warn("unable to find the group", "sid", sidString)
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
groupEntries = append(groupEntries, groupResult.Entries[0])
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
close(taskChan)
|
||||||
|
wg.Wait()
|
||||||
|
|
||||||
return groupEntries, nil
|
return groupEntries, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue