Details
-
Suggestion
-
Resolution: Won't Fix
-
None
Description
The findGroupByName on the SpringLDAPConnector calls findGroupWithAttributesByName as the calls are inherently identical as LDAP directories don't have custom attributes.
However, when a group is found, it's memberships (memberDNs) are brought back. This is can be slow for really large groups. For example, using OpenLDAP, a group with 40k members takes 5 seconds to retrieve. The findGroupByName method is called from many places, including addUserToGroup, etc, to check for the group's existence.
Fixing this doesn't seem trivial as the culling of attributes is done on the client layer - ie. we get all the attributes for the group object back on from the LDAP server and map only the attributes we want on the client layer. Since the actual transport is what's looking to be costly, we'll need to modify the search to only request particular attributes.
Further, we will need to investigate where we actually need the memberDNs (eg. group membership search) and when we only want the group name / active flag.