Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-891

rolesSearch is doing a needless LDAP call for each individual role

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • None
    • PicketBox_4_9_2.Final
    • JBossSX, Security-SPI
    • None
    • Hide

      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server.
      You will see:

      • a call to search the user
      • a call to authenticate the user
      • a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.
      Show
      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server. You will see: a call to search the user a call to authenticate the user a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.

      https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java

      line 690:
      // Query the context for the roleDN values
      String[] attrNames =

      {roleAttributeID}

      ;
      Attributes result = null;
      if (sr.isRelative()) {
      result = ldapCtx.getAttributes(quoteDN(dn), attrNames);

      The getAttributes method forces another roundtrip to the LDAP server, while the required attribute is in fact already present on the "sr" SearchResult object.

      If a user is a member of (lets say) 100 groups, then we can get an extra 100 calls to the LDAP server.

              tfonteyn Tom Fonteyne (Inactive)
              tfonteyn Tom Fonteyne (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: