Uploaded image for project: 'RH-SSO'
  1. RH-SSO
  2. RHSSO-1011

Adding user to newly created group incurs full LDAP group sync

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • RH-SSO-7.2.0.CR1
    • RH-SSO-7.0.0.GA, RH-SSO-7.1.0.GA
    • None
    • None

    Description

      With LDAP user federation handling users and groups, adding a user to a newly created group causes the group mapper to perform a full sync of groups to ldap. During a full group sync, the entirety of every group entry in LDAP gets rewritten even if none of that entry's attributes have changed. This is problematic in our environment for a few reasons:

      • We have 10,000+ groups, the RESTful call to add a user to a new group can take full minutes to return
      • RESTful calls to other nodes in the meantime may incur an Infinispan replication timeout, and we cannot prevent request delivery to faulting nodes due to case 01721387
      • Rewriting unchanged LDAP entries places an unnecessary load on LDAP multi-master replication

      Attachments

        Activity

          People

            mtrue-1 Mark True (Inactive)
            rhn-support-dehort Derek Horton
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: