Topic on Extension talk:LDAP Authentication

LDAP-Authentication is slow

2 comments • 20:07, 1 December 2021 2 years ago
2
134.147.28.232 (talkcontribs)

The login takes up to 2 minutes or longer, if group restriction is enabled. A look in the debug log (log level: 3) shows, that the user is searched in every group to authenticate it. This step takes a lot of time, because there are over 100.000 users and many groups. Is there a way to improve the speed or a workaround, like just checking if the user is in the required group? The Mediawiki version is: 1.20.2 Configuration and log are below:

require_once( 'extensions/Ldap-Authentification/LdapAuthentication.php' );
$wgAuth = new LdapAuthenticationPlugin();
$wgUseLDAP = true;

#SERVER
$wgLDAPDomainNames = array(
'groupname'
 );
 
$wgLDAPServerNames = array(
'groupname' => 'server'
 );

$wgLDAPUseLocal = false;

$wgLDAPEncryptionType = array(
'groupname' => "clear"
 );


#PROXY
$wgLDAPProxyAgent = array(
'groupname' => "cn=,ou=,dc=,dc=de"
 );
   
$wgLDAPProxyAgentPassword = array(
'groupname' => "password"
 );

$wgLDAPSearchAttributes = array(
'groupname' => "uid"
 );

$wgLDAPBaseDNs = array(
'groupname' => "dc=,dc=de"
 );
   
$wgLDAPGroupBaseDNs = array(
'groupname' => "ou=groups,dc=,dc=de"
 );

$wgLDAPUserBaseDNs = array(
'groupname' => "ou=users,dc=,dc=de"
 );


#GROUPS
$wgLDAPGroupUseFullDN = array(
'groupname' => true
 );

$wgLDAPLowerCaseUsername = array(
'groupname' => true
 );

$wgLDAPGroupObjectclass = array(
'groupname' => "groupOfUniqueNames"
 );
$wgLDAPGroupAttribute = array(
'groupname' => "uniqueMember"
 );

$wgLDAPGroupNameAttribute = array(
'groupname' => "cn"
 );

$wgLDAPRequiredGroups = array(
'groupname' =>  array("cn=groupname,ou=groups,dc=,dc=de")
 );


2013-11-12 12:50:51  : 2.0f Entering validDomain
2013-11-12 12:50:51  : 2.0f User is not using a valid domain ().
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:51  : 2.0f Setting domain as: domain
2013-11-12 12:50:51  : 2.0f Entering allowPasswordChange
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:51  : 2.0f Entering modifyUITemplate
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:51  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Entering validDomain
2013-11-12 12:50:52  : 2.0f User is not using a valid domain ().
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Setting domain as: domain
2013-11-12 12:50:52  : 2.0f Entering allowPasswordChange
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Entering modifyUITemplate
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:52  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering validDomain
2013-11-12 12:50:56  : 2.0f User is using a valid domain (domain).
2013-11-12 12:50:56  : 2.0f Setting domain as: domain
2013-11-12 12:50:56  : 2.0f Entering getCanonicalName
2013-11-12 12:50:56  : 2.0f Username is: login
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Munged username: login
2013-11-12 12:50:56  : 2.0f Entering authenticate for username login
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering Connect
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Using TLS or not using encryption.
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Using servers:  ldap://server:389
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f PHP's LDAP connect method returned true (note, this does not imply it connected to the server).
2013-11-12 12:50:56  : 2.0f Entering getSearchString
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getUserDN
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Doing a proxy bind
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Created a regular filter: (uid=login)
2013-11-12 12:50:56  : 2.0f Entering getBaseDN
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f basedn is ou=users,dc=,dc=de
2013-11-12 12:50:56  : 2.0f Using base: ou=users,dc=,dc=de
2013-11-12 12:50:56  : 2.0f Setting the LDAPUsername based on fetched wgLDAPSearchAttributes: login
2013-11-12 12:50:56  : 2.0f userdn is: uid=login,ou=users,dc=,dc=de
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Binding as the user
2013-11-12 12:50:56  : 2.0f Bound successfully
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getGroups
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Retrieving LDAP group membership
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Searching for the groups
2013-11-12 12:50:56  : 2.0f Entering searchGroups
2013-11-12 12:50:56  : 2.0f Entering getBaseDN
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f basedn is ou=groups,dc=,dc=de
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Binding as the proxyagent
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Entering getDomain
2013-11-12 12:50:56  : 2.0f Search string: (&(uniqueMember=uid=login,ou=users,dc=,dc=de)(objectclass=groupOfUniqueNames))
2013-11-12 12:52:59  : 2.0f Returned groups: cn=group1,ou=groups,dc=,dc=de::cn=group2,ou=groups,dc=,dc=de::cn=group3,ou=groups,dc=,dc=de::cn=group4,ou=groups,dc=,dc=de::cn=sgroup5,ou=groups,dc=,dc=de::cn=group6,ou=groups,dc=,dc=de::cn=group7,ou=groups,dc=,dc=de::cn=group8,ou=groups,dc=,dc=de::cn=group9,ou=groups,dc=,dc=de::cn=group10,ou=groups,dc=,dc=de::cn=group11,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Entering checkGroups
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Checking for (new style) group membership
2013-11-12 12:52:59  : 2.0f Required groups: cn=group9,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group1,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group2,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group3,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group4,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group5,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group6,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group7,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group8,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Checking against: cn=group9,ou=groups,dc=,dc=de
2013-11-12 12:52:59  : 2.0f Found user in a group.
2013-11-12 12:52:59  : 2.0f Entering getPreferences
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Authentication passed
2013-11-12 12:52:59  : 2.0f Entering updateUser
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f Entering getDomain
2013-11-12 12:52:59  : 2.0f User has a token, setting domain in user options.
2013-11-12 12:52:59  : 2.0f Saving user settings.
Reply 15:21, 15 November 2013 10 years ago
198.181.18.21 (talkcontribs)

This problem is still present in the plugin. Users with a large number of groups are very slow to login because of the poor implementation for searching the groups.

Reply 20:07, 1 December 2021 2 years ago
Reply to "LDAP-Authentication is slow"
Retrieved from "https://www.mediawiki.org/wiki/Topic:Rjksxg6cv9d1hjr9"