Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-10557

LDAP queries are submitting too many bind / unbind requests to the LDAPserver.

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 3.5
    • 2.7
    • None
    • Probably any Confluence integrated with any compliant LDAP server.
      Concretely:
      AS WebSphere 6.1
      DB Oracle 10g
      Microsoft ADAM LDAP

      When a user connects to the application, Confluence will send the following LDAP requests:

      1. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
      then LDAP Search:

      • Base DN: "<baseUserNamespace>" parameter from "atlassian-users.xml" file.
      • Filter: (&(<userSearchFilter>)(UID=loginUser))
      • Attributes: « UID », « givenname », « sn », « mail »
        This one is to retrieve user account attributes

      2. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
      then LDAP Search:

      • Base DN: "<baseGroupNamespace>" parameter from "atlassian-users.xml" file.
      • Filter: (&(&(<groupSearchFilter>)(<groupSearchFilter>))(member=<DN of the user account>))
      • Attributes: « cn »
        This one is to retrieve the LDAP groups the user belongs to.

      3. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
      then LDAP Search:

      • Base DN: "<baseGroupNamespace>" parameter from "atlassian-users.xml" file.
      • Filter: (&(cn=<groupName>)(<groupSearchFilter>))
      • Attributes: « cn »
        I think this one is to check that each LDAP group really exists, if it is not in Confluence LDAP cache.

      The problem with these requests is that before each one of these LDAP search request, Confluence will launch a LDAP bind request to the LDAP server, which does 3 LDAP bind requests for a single user connection when I have tested it. The problem is that LDAP bind requests are often greedy in resources for LDAP server so it would be preferable to make a single LDAP bind (to establish a LDAP session) and then send all the LDAP search requests for this user (in the same LDAP session). This is a general remark, when several LDAP requests must be sent by Confluence, it should be done with a single LDAP bind request. Is it possible to modify Confluence behaviour to reduce the number of LDAP bind requests?

              matt@atlassian.com Matt Ryall
              4623d825f066 Ludovic Lambert
              Affected customers:
              10 This affects my team
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: