While Crowd is optimized to sync to Active Directory, for other LDAP structures Crowd follows a generic algorithm.
The following describes the observed behavior (via LDAP query logging) during sync of a directory of type "Open LDAP (Read Only Posix Schema)":
1. Search all data on all users: ou=People,dc=example,dc=com '(objectClass=inetOrgPerson)' 2. Search all data on all groups: ou=Groups,dc=example,dc=com '(cn=*)' 3. Repeat step 2. 4. For each group found, do the following: a. Search for all data on that group: ou=Groups,dc=example,dc=com '(&(cn=*)(cn=<groupname>))' b. Search for all users who have that group's GID number: ou=People,dc=example,dc=com '(&(objectClass=inetOrgPerson)(gidNumber=<gidnumber>))' c. For all users in that group: I. Search for users with that uid: ou=People,dc=example,dc=com '(&(objectClass=inetOrgPerson)(uid=<uid>))'
It seems that from steps 1 and 2, Crowd should have all the information it needs. Step 4 performs a series of nested loops (for each group... for each user... etc), which can take some time for larger LDAP servers.
- relates to
-
CWD-2943 Don't re-fetch users while fetching memberships during synchronisation
-
- Closed
-