Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-891

rolesSearch is doing a needless LDAP call for each individual role

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • PicketBox_4_9_2.Final
    • JBossSX, Security-SPI
    • None
    • Hide

      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server.
      You will see:

      • a call to search the user
      • a call to authenticate the user
      • a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.
      Show
      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server. You will see: a call to search the user a call to authenticate the user a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.

    Description

      https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java

      line 690:
      // Query the context for the roleDN values
      String[] attrNames =

      {roleAttributeID}

      ;
      Attributes result = null;
      if (sr.isRelative()) {
      result = ldapCtx.getAttributes(quoteDN(dn), attrNames);

      The getAttributes method forces another roundtrip to the LDAP server, while the required attribute is in fact already present on the "sr" SearchResult object.

      If a user is a member of (lets say) 100 groups, then we can get an extra 100 calls to the LDAP server.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-3013 (7.0.z) RolesSearch in AdvancedLdapLoginModule is doing a needless LDAP call for each individual role

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              tfonteyn Tom Fonteyne (Inactive)
              tfonteyn Tom Fonteyne (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: