In the process of setting up the new LDAP Connector directory, an administrator is very likely to save the directory before it is fully configured. This will inadvertently trigger a sync against LDAP using default attributes and filters, which are very broad. Given a large enough LDAP, this "accidental sync" has the potential to process for a very long time, consuming resources on the Crowd and database servers, and potentially impact all Crowd-related activity.
The below is a common workflow in setting up a new LDAP Connector directory:
- First select a directory type (select Connector radio button) and hit the Next button.
- You will be taken to the "Details" tab in the next screen. Fill in the details and hit the blue "Continue" button:
- You will be taken to the "Connector" tab, and be shown an error, because not all required details have been filled in. Fill in all the details (base DN and bind credentials) and hit Continue at the bottom
- You will now be taken to the "Configuration" tab where you can further tune details such as user and group search filters. Fill these out and hit Continue once more
The new directory is not actually added to the database until all tabs have been filled/reviewed by the administrator
After hitting "Continue" on Step 3, despite the admin not yet having customized the "Configuration" tab, the directory has been committed to the database. A sync automatically starts shortly after, using the default attributes and search filters. These default filters are very broad and are likely to pull in ALL users and groups within the scope of the base DN set in Step 2.
Assuming this sync finishes, the following sync will take place using the actual intended filters configured in Step 4. If the intended filters are very restrictive, then Crowd will need to perform expensive database updates to "undo" all the changes from the first sync. This can take an even longer time than the first sync due to CWD-5098.
Crowd actually tries once to add the directory to the database after clicking Continue in Step 2, but is blocked due to not having required attributes. After Step 3, however, it has everything it needs to successfully add the directory due to the pre-populated attributes and filters.
When setting up a new LDAP Connector, instead of using the "Continue" buttons, manually click on each tab (Details, Connector, Configuration, Permissions). Do not click Continue on any tab until ALL intended configurations are in place. As soon as Continue is clicked, Crowd will attempt to commit the directory to the database and start a sync if it is successful.