From e5b1daa3d96c5564dc64af5440a7dddaddfe3575 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 29 Nov 2021 11:03:14 -0500 Subject: [PATCH 1/2] Remove wild-card from uid search, it performs very badly. Add a bit of logging so we can easily see performance in the future. --- crc/services/ldap_service.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/crc/services/ldap_service.py b/crc/services/ldap_service.py index 3ecd634d..42b02498 100644 --- a/crc/services/ldap_service.py +++ b/crc/services/ldap_service.py @@ -1,13 +1,9 @@ -import logging import os -import ssl -from os import path - -from attr import asdict from ldap3.core.exceptions import LDAPExceptionError +import datetime as dt from crc import app, db -from ldap3 import Connection, Server, MOCK_SYNC, RESTARTABLE, SASL, DIGEST_MD5, ALL, Tls, EXTERNAL, SYNC +from ldap3 import Connection, Server, MOCK_SYNC, RESTARTABLE from crc.api.common import ApiError from crc.models.ldap import LdapModel, LdapSchema @@ -18,7 +14,8 @@ class LdapService(object): attributes = ['uid', 'cn', 'sn', 'displayName', 'givenName', 'mail', 'objectClass', 'UvaDisplayDepartment', 'telephoneNumber', 'title', 'uvaPersonIAMAffiliation', 'uvaPersonSponsoredType'] uid_search_string = "(&(objectclass=person)(uid=%s))" - user_or_last_name_search = "(&(objectclass=person)(|(uid=%s*)(sn=%s*)))" + # adding a '*' to the end of uid here would match partial uid, but it is too slow on the new ldap server. + user_or_last_name_search = "(&(objectclass=person)(|(uid=%s)(sn=%s*)))" cn_single_search = '(&(objectclass=person)(cn=%s*))' cn_double_search = '(&(objectclass=person)(&(cn=%s*)(cn=*%s*)))' temp_cache = {} @@ -89,10 +86,13 @@ class LdapService(object): # Search by user_id or last name search_string = LdapService.user_or_last_name_search % (query, query) results = [] - app.logger.info(search_string) try: conn = LdapService.__get_conn() + a = dt.datetime.now() conn.search(LdapService.search_base, search_string, attributes=LdapService.attributes) + b = dt.datetime.now() + app.logger.info('LDAP Search ' + search_string + " -- " + str((b - a).total_seconds()) + " sec.") + # Entries are returned as a generator, accessing entries # can make subsequent calls to the ldap service, so limit # those here. From b9c936da388a5d634596e5c4f0a7b330394ecb59 Mon Sep 17 00:00:00 2001 From: Dan Date: Mon, 29 Nov 2021 11:25:45 -0500 Subject: [PATCH 2/2] Fix the test. --- tests/ldap/test_ldap_api.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ldap/test_ldap_api.py b/tests/ldap/test_ldap_api.py index d159ddcb..65118cb6 100644 --- a/tests/ldap/test_ldap_api.py +++ b/tests/ldap/test_ldap_api.py @@ -10,7 +10,7 @@ class TestLdapApi(BaseTest): Test to make sure that LDAP api returns a real user """ self.load_example_data() - rv = self.app.get('/v1.0/ldap?query=dhf', + rv = self.app.get('/v1.0/ldap?query=dhf8r', follow_redirects=True, content_type="application/json", headers=self.logged_in_headers()) self.assertTrue(rv.status_code == 200)