From fa9c963140558c8c1b865100ce859d4f17fe7356 Mon Sep 17 00:00:00 2001 From: hc-github-team-secure-vault-core <82990506+hc-github-team-secure-vault-core@users.noreply.github.com> Date: Fri, 1 Sep 2023 08:25:28 -0400 Subject: [PATCH] Backport of Add worker pool for LDAP group lookup into release/1.13.x (#22703) * Add worker pool for LDAP group lookup (#22659) * Add worker pool for LDAP group lookup * changelog * Add lock * derefAliases disappeared * Remove deref * fmt --------- Co-authored-by: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com> --- changelog/22659.txt | 3 ++ sdk/helper/ldaputil/client.go | 64 +++++++++++++++++++++++------------ 2 files changed, 46 insertions(+), 21 deletions(-) create mode 100644 changelog/22659.txt diff --git a/changelog/22659.txt b/changelog/22659.txt new file mode 100644 index 0000000000000..501fb4ecc866e --- /dev/null +++ b/changelog/22659.txt @@ -0,0 +1,3 @@ +```release-note:improvement +auth/ldap: improved login speed by adding concurrency to LDAP token group searches +``` diff --git a/sdk/helper/ldaputil/client.go b/sdk/helper/ldaputil/client.go index 9096a14576c15..7e3f9aa349da0 100644 --- a/sdk/helper/ldaputil/client.go +++ b/sdk/helper/ldaputil/client.go @@ -11,6 +11,7 @@ import ( "net" "net/url" "strings" + "sync" "text/template" "time" @@ -463,6 +464,11 @@ func sidBytesToString(b []byte) (string, error) { } func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userDN string) ([]*ldap.Entry, error) { + var wg sync.WaitGroup + var lock sync.Mutex + taskChan := make(chan string) + maxWorkers := 10 + result, err := conn.Search(&ldap.SearchRequest{ BaseDN: userDN, Scope: ldap.ScopeBaseObject, @@ -482,36 +488,52 @@ func (c *Client) performLdapTokenGroupsSearch(cfg *ConfigEntry, conn Connection, userEntry := result.Entries[0] groupAttrValues := userEntry.GetRawAttributeValues("tokenGroups") - groupEntries := make([]*ldap.Entry, 0, len(groupAttrValues)) + + for i := 0; i < maxWorkers; i++ { + wg.Add(1) + go func() { + defer wg.Done() + + for sid := range taskChan { + groupResult, err := conn.Search(&ldap.SearchRequest{ + BaseDN: fmt.Sprintf("", sid), + Scope: ldap.ScopeBaseObject, + Filter: "(objectClass=*)", + Attributes: []string{ + "1.1", // RFC no attributes + }, + SizeLimit: 1, + }) + if err != nil { + c.Logger.Warn("unable to read the group sid", "sid", sid) + continue + } + + if len(groupResult.Entries) == 0 { + c.Logger.Warn("unable to find the group", "sid", sid) + continue + } + + lock.Lock() + groupEntries = append(groupEntries, groupResult.Entries[0]) + lock.Unlock() + } + }() + } + for _, sidBytes := range groupAttrValues { sidString, err := sidBytesToString(sidBytes) if err != nil { c.Logger.Warn("unable to read sid", "err", err) continue } - - groupResult, err := conn.Search(&ldap.SearchRequest{ - BaseDN: fmt.Sprintf("", sidString), - Scope: ldap.ScopeBaseObject, - Filter: "(objectClass=*)", - Attributes: []string{ - "1.1", // RFC no attributes - }, - SizeLimit: 1, - }) - if err != nil { - c.Logger.Warn("unable to read the group sid", "sid", sidString) - continue - } - if len(groupResult.Entries) == 0 { - c.Logger.Warn("unable to find the group", "sid", sidString) - continue - } - - groupEntries = append(groupEntries, groupResult.Entries[0]) + taskChan <- sidString } + close(taskChan) + wg.Wait() + return groupEntries, nil }