Improve LDAP login times, transfer 40x less data.
When recursively expanding LDAP groups we used to fetch all attributes
for each group. In our corporate setup this has been causing a huge
amount of data being transfered from the LDAP server to our Gerrit
instances. In the tcpdump output I could find a list of all corporate
user accounts being returned (probably as an attribute of a group).
However, we are really only interested in one attribute. Therefore, ask
the LDAP server for this one attribute only. This reduces the amount
of transfered data by a factor of 40, in our corporate setup.
Change-Id: I74df9064771d174a02f0e4d7cb2c5a994b9d8333
diff --git a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
index 0698203..730a86f 100644
--- a/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
+++ b/gerrit-server/src/main/java/com/google/gerrit/server/auth/ldap/Helper.java
@@ -279,7 +279,8 @@
try {
final Name compositeGroupName = new CompositeName().add(groupDN);
final Attribute in =
- ctx.getAttributes(compositeGroupName).get(schema.accountMemberField);
+ ctx.getAttributes(compositeGroupName, schema.accountMemberFieldArray)
+ .get(schema.accountMemberField);
if (in != null) {
final NamingEnumeration<?> groups = in.getAll();
try {
@@ -308,6 +309,7 @@
final ParameterizedString accountEmailAddress;
final ParameterizedString accountSshUserName;
final String accountMemberField;
+ final String[] accountMemberFieldArray;
final List<LdapQuery> accountQueryList;
final List<String> groupBases;
@@ -372,7 +374,10 @@
accountMemberField =
LdapRealm.optdef(config, "accountMemberField", type.accountMemberField());
if (accountMemberField != null) {
+ accountMemberFieldArray = new String[] {accountMemberField};
accountAtts.add(accountMemberField);
+ } else {
+ accountMemberFieldArray = null;
}
final SearchScope accountScope = LdapRealm.scope(config, "accountScope");
