Symptoms

When groups that are synchronized from the remote directory have members that are outside of the user or group filter / dn, Crowd may issue additional query to the remote directory in order to fetch those objects. During full synchronization this additional query is superfluous and does not influence the correctness of membership resolution.

Example

Crowd directory is configured as follows:

pull groups from dn: ou=Groups
pull users from dn: ou=Users

LDAP directory group contains members outside of ou=Groups and outside of ou=Users:

dn: cn=my-group,ou=Groups
objectClass: groupOfUniqueNames
objectClass: top
cn: my-group
uniqueMember: cn=john,ou=Users
uniqueMember: cn=bot-account,ou=Automation

In such situation Crowd, during synchronisation, will issue additional query to remote directory in order to fetch cn=bot-account,ou=Automation, which was not fetched before as the group dn configured in Crowd is ou=Groups.

This additional query may become a timing culprit in situation where there are many additional member objects in groups that are outside of the scope configured and when the LDAP server is slow to respond.

Workaround

None at this point

Attachments

Issue Links

is duplicated by: KRAK-1188 Loading...

mentioned in: Page Loading...

Activity

People

Assignee:: Patryk

Reporter:: Marcin Kempa

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 23/Mar/2018 10:06 AM

Updated:: 19/Aug/2019 8:01 AM

Resolved:: 23/Mar/2018 10:42 AM