scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 02:02:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add worker pool for LDAP group lookup (#22659)

Browse Source 
* Add worker pool for LDAP group lookup

* changelog

* Add lock

* derefAliases disappeared
This commit is contained in:
Jason O'Donnell
2023-08-31 15:34:23 -04:00
committed by GitHub
parent cdf6bf0669
commit 4e963c4c5b
2 changed files with 47 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
changelog/22659.txt Normal file
View File

@@ -0,0 +1,3 @@
```release-note:improvement
auth/ldap: improved login speed by adding concurrency to LDAP token group searches
```

66
sdk/helper/ldaputil/client.go
View File

@@ -14,6 +14,7 @@ import (
"net" "net"
"net/url" "net/url"
"strings" "strings"
"sync"
"text/template" "text/template"
"time" "time"
@@ -478,6 +479,11 @@ func sidBytesToString(b []byte) (string, error) {
} }
func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) { func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) {
var wg sync.WaitGroup
var lock sync.Mutex
taskChan := make(chan string)
maxWorkers := 10
result, err := conn.Search(&ldap.SearchRequest{ result, err := conn.Search(&ldap.SearchRequest{
BaseDN: userDN, BaseDN: userDN,
Scope: ldap.ScopeBaseObject, Scope: ldap.ScopeBaseObject,
@@ -498,37 +504,53 @@ func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection,
userEntry := result.Entries[0] userEntry := result.Entries[0]
groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups") groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups")
groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues)) groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues))
for i := 0; i < maxWorkers; i++ {
wg.Add(1)
go func() {
defer wg.Done()
for sid := range taskChan {
groupResult, err := conn.Search(&ldap.SearchRequest{
BaseDN: fmt.Sprintf("<SID=%s>", sid),
Scope: ldap.ScopeBaseObject,
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
Filter: "(objectClass=*)",
Attributes: []string{
"1.1", // RFC no attributes
},
SizeLimit: 1,
})
if err != nil {
c.Logger.Warn("unable to read the group sid", "sid", sid)
continue
}
if len(groupResult.Entries) == 0 {
c.Logger.Warn("unable to find the group", "sid", sid)
continue
}
lock.Lock()
groupEntries = append(groupEntries, groupResult.Entries[0])
lock.Unlock()
}
}()
}
for _, sidBytes := range groupAttrValues { for _, sidBytes := range groupAttrValues {
sidString, err := sidBytesToString(sidBytes) sidString, err := sidBytesToString(sidBytes)
if err != nil { if err != nil {
c.Logger.Warn("unable to read sid", "err", err) c.Logger.Warn("unable to read sid", "err", err)
continue continue
} }
taskChan <- sidString
groupResult, err := conn.Search(&ldap.SearchRequest{
BaseDN: fmt.Sprintf("<SID=%s>", sidString),
Scope: ldap.ScopeBaseObject,
DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
Filter: "(objectClass=*)",
Attributes: []string{
"1.1", // RFC no attributes
},
SizeLimit: 1,
})
if err != nil {
c.Logger.Warn("unable to read the group sid", "sid", sidString)
continue
}
if len(groupResult.Entries) == 0 {
c.Logger.Warn("unable to find the group", "sid", sidString)
continue
}
groupEntries = append(groupEntries, groupResult.Entries[0])
} }
close(taskChan)
wg.Wait()
return groupEntries, nil return groupEntries, nil
} }