Details
-
Bug
-
Resolution: Fixed
-
Medium
-
2.7
-
None
-
Probably any Confluence integrated with any compliant LDAP server.
Concretely:
AS WebSphere 6.1
DB Oracle 10g
Microsoft ADAM LDAP
Description
When a user connects to the application, Confluence will send the following LDAP requests:
1. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
then LDAP Search:
- Base DN: "<baseUserNamespace>" parameter from "atlassian-users.xml" file.
- Filter: (&(<userSearchFilter>)(UID=loginUser))
- Attributes: « UID », « givenname », « sn », « mail »
This one is to retrieve user account attributes
2. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
then LDAP Search:
- Base DN: "<baseGroupNamespace>" parameter from "atlassian-users.xml" file.
- Filter: (&(&(<groupSearchFilter>)(<groupSearchFilter>))(member=<DN of the user account>))
- Attributes: « cn »
This one is to retrieve the LDAP groups the user belongs to.
3. LDAP Bind using the account provided in Confluence configuration ("atlassian-users.xml" file).
then LDAP Search:
- Base DN: "<baseGroupNamespace>" parameter from "atlassian-users.xml" file.
- Filter: (&(cn=<groupName>)(<groupSearchFilter>))
- Attributes: « cn »
I think this one is to check that each LDAP group really exists, if it is not in Confluence LDAP cache.
The problem with these requests is that before each one of these LDAP search request, Confluence will launch a LDAP bind request to the LDAP server, which does 3 LDAP bind requests for a single user connection when I have tested it. The problem is that LDAP bind requests are often greedy in resources for LDAP server so it would be preferable to make a single LDAP bind (to establish a LDAP session) and then send all the LDAP search requests for this user (in the same LDAP session). This is a general remark, when several LDAP requests must be sent by Confluence, it should be done with a single LDAP bind request. Is it possible to modify Confluence behaviour to reduce the number of LDAP bind requests?
Attachments
Issue Links
- is related to
-
CONFSERVER-20527 Authenticator.getUser is invoked too many times per request
- Closed