backport of commit 4e963c4c5bbd00d4150df1bc0d140bba43feb407 (#22704)

Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
This commit is contained in:
hc-github-team-secure-vault-core 2023-09-01 09:18:05 -04:00 committed by GitHub
parent cb0784b87f
commit a7f3af73ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 47 additions and 22 deletions

3
changelog/22659.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
auth/ldap: improved login speed by adding concurrency to LDAP token group searches
```

View File

@ -14,6 +14,7 @@ import (
"net" "net"
"net/url" "net/url"
"strings" "strings"
"sync"
"text/template" "text/template"
"time" "time"
@ -478,6 +479,11 @@ func sidBytesToString(b []byte) (string, error) {
} }
func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) { func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) {
var wg sync.WaitGroup
var lock sync.Mutex
taskChan := make(chan string)
maxWorkers := 10
result, err := conn.Search(&ldap.SearchRequest{ result, err := conn.Search(&ldap.SearchRequest{
BaseDN: userDN, BaseDN: userDN,
Scope: ldap.ScopeBaseObject, Scope: ldap.ScopeBaseObject,
@ -498,37 +504,53 @@ func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection,
userEntry := result.Entries[0] userEntry := result.Entries[0]
groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups") groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups")
groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues)) groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues))
for i := 0; i < maxWorkers; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for sid := range taskChan {
groupResult, err := conn.Search(&ldap.SearchRequest{
BaseDN: fmt.Sprintf("<SID=%s>", sid),
Scope: ldap.ScopeBaseObject,
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
Filter: "(objectClass=*)",
Attributes: []string{
"1.1", // RFC no attributes
},
SizeLimit: 1,
})
if err != nil {
c.Logger.Warn("unable to read the group sid", "sid", sid)
continue
}
if len(groupResult.Entries) == 0 {
c.Logger.Warn("unable to find the group", "sid", sid)
continue
}
lock.Lock()
groupEntries = append(groupEntries, groupResult.Entries[0])
lock.Unlock()
}
}()
}
for _, sidBytes := range groupAttrValues { for _, sidBytes := range groupAttrValues {
sidString, err := sidBytesToString(sidBytes) sidString, err := sidBytesToString(sidBytes)
if err != nil { if err != nil {
c.Logger.Warn("unable to read sid", "err", err) c.Logger.Warn("unable to read sid", "err", err)
continue continue
} }
taskChan <- sidString
groupResult, err := conn.Search(&ldap.SearchRequest{
BaseDN: fmt.Sprintf("<SID=%s>", sidString),
Scope: ldap.ScopeBaseObject,
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
Filter: "(objectClass=*)",
Attributes: []string{
"1.1", // RFC no attributes
},
SizeLimit: 1,
})
if err != nil {
c.Logger.Warn("unable to read the group sid", "sid", sidString)
continue
}
if len(groupResult.Entries) == 0 {
c.Logger.Warn("unable to find the group", "sid", sidString)
continue
}
groupEntries = append(groupEntries, groupResult.Entries[0])
} }
close(taskChan)
wg.Wait()
return groupEntries, nil return groupEntries, nil
} }