Add worker pool for LDAP group lookup (#22659)

* Add worker pool for LDAP group lookup * changelog * Add lock * derefAliases disappeared
hashicorp · Aug 31, 2023 · 355cc34 · 355cc34
1 parent 716aa13
commit 355cc34
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 21 deletions.
diff --git a/changelog/22659.txt b/changelog/22659.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+auth/ldap: improved login speed by adding concurrency to LDAP token group searches
+```
diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go
@@ -11,6 +11,7 @@ import (
 	"net"
 	"net/url"
 	"strings"
+	"sync"
 	"text/template"
 	"time"
 
@@ -463,6 +464,11 @@ func sidBytesToString(b []byte) (string, error) {
 }
 
 func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) {
+	var wg sync.WaitGroup
+	var lock sync.Mutex
+	taskChan := make(chan string)
+	maxWorkers := 10
+
 	result, err := conn.Search(&ldap.SearchRequest{
 		BaseDN: userDN,
 		Scope:  ldap.ScopeBaseObject,
@@ -482,36 +488,53 @@ func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection,
 
 	userEntry := result.Entries[0]
 	groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups")
-
 	groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues))
+
+	for i := 0; i < maxWorkers; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+
+			for sid := range taskChan {
+				groupResult, err := conn.Search(&ldap.SearchRequest{
+					BaseDN:       fmt.Sprintf("<SID=%s>", sid),
+					Scope:        ldap.ScopeBaseObject,
+					DerefAliases: ldapDerefAliasMap[cfg.DerefAliases],
+					Filter:       "(objectClass=*)",
+					Attributes: []string{
+						"1.1", // RFC no attributes
+					},
+					SizeLimit: 1,
+				})
+				if err != nil {
+					c.Logger.Warn("unable to read the group sid", "sid", sid)
+					continue
+				}
+
+				if len(groupResult.Entries) == 0 {
+					c.Logger.Warn("unable to find the group", "sid", sid)
+					continue
+				}
+
+				lock.Lock()
+				groupEntries = append(groupEntries, groupResult.Entries[0])
+				lock.Unlock()
+			}
+		}()
+	}
+
 	for _, sidBytes := range groupAttrValues {
 		sidString, err := sidBytesToString(sidBytes)
 		if err != nil {
 			c.Logger.Warn("unable to read sid", "err", err)
 			continue
 		}
-
-		groupResult, err := conn.Search(&ldap.SearchRequest{
-			BaseDN: fmt.Sprintf("<SID=%s>", sidString),
-			Scope:  ldap.ScopeBaseObject,
-			Filter: "(objectClass=*)",
-			Attributes: []string{
-				"1.1", // RFC no attributes
-			},
-			SizeLimit: 1,
-		})
-		if err != nil {
-			c.Logger.Warn("unable to read the group sid", "sid", sidString)
-			continue
-		}
-		if len(groupResult.Entries) == 0 {
-			c.Logger.Warn("unable to find the group", "sid", sidString)
-			continue
-		}
-
-		groupEntries = append(groupEntries, groupResult.Entries[0])
+		taskChan <- sidString
 	}
 
+	close(taskChan)
+	wg.Wait()
+
 	return groupEntries, nil
 }