Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-891

rolesSearch is doing a needless LDAP call for each individual role

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PicketBox_4_9_2.Final
    • Fix Version/s: None
    • Component/s: JBossSX, Security-SPI
    • Labels:
      None
    • Steps to Reproduce:
      Hide

      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server.
      You will see:

      • a call to search the user
      • a call to authenticate the user
      • a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.
      Show
      Have an app use LdapExt login module, have a user who is a member of X amount of LDAP groups login. Sniff the network or watch the access log of the LDAP server. You will see: a call to search the user a call to authenticate the user a loop, the number of times the user has groups, each time doing a lookup for a single group and fetching the required attribute.

      Description

      https://github.com/picketbox/picketbox/blob/master/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java

      line 690:
      // Query the context for the roleDN values
      String[] attrNames =

      {roleAttributeID}

      ;
      Attributes result = null;
      if (sr.isRelative()) {
      result = ldapCtx.getAttributes(quoteDN(dn), attrNames);

      The getAttributes method forces another roundtrip to the LDAP server, while the required attribute is in fact already present on the "sr" SearchResult object.

      If a user is a member of (lets say) 100 groups, then we can get an extra 100 calls to the LDAP server.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tfonteyn Tom Fonteyne (Inactive)
              Reporter:
              tfonteyn Tom Fonteyne (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: