Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5827

GroupLDAPStorageMapper or RoleLDAPStorageMapper retrieve all multivalued member attribute values

    Details

    • Docs QE Status:
      NEW
    • QE Status:
      ASSIGNED

      Description

      We are using GroupLdapMapper and RoleLdapMapper to retrive user groups/roles from LDAP.
      We have a lot of groups in LDAP and anyone group have a lot of users.

      So in Ldap we have like this:
      dn: cn=Group1,cn=groups,cn=app1,cn=groups,O=COMPANY_NAME,C=PL
      member:uid=user1,ou=CUSTOMER SERVICE,ou=DEPARTMENT1,ou=HEAD OFFICE,ou=REGION1,O=COMPANY,C=PL
      member:uid=user2,ou=CUSTOMER SERVICE,ou=DEPARTMENT2,ou=HEAD OFFICE,ou=REGION1,O=COMPANY,C=PL
      ....
      member:uid=user200,ou=CUSTOMER SERVICE,ou=DEPARTMENT2,ou=HEAD OFFICE,ou=REGION1,O=COMPANY,C=PL

      So when GroupLDAPStorageMapper or RoleLDAPStorageMapper send search to LDAP set filter to member=uid=user1,ou=CUSTOMER SERVICE,ou=DEPARTMENT1,ou=HEAD OFFICE,ou=REGION1,O=COMPANY,C=PL - it's ok
      but also set attribute "member" to returningLdapAttributes in LDAPQuery - I think that it's unnecessary.
      This causes that for every group for every user it retrive all members (it gets Cartesian), so it retrive from LDAP abount 20MB per user and this place into cache also.

      I suggest to remove from keycloak code :

      RoleLDAPStorageMapper.createRoleQuery()

      { .. //to delete ldapQuery.addReturningLdapAttribute(membershipAttr); ... }

      GroupLDAPStorageMapper.createGroupQuery()

      { ... //to delete ldapQuery.addReturningLdapAttribute(config.getMembershipLdapAttribute()); ... }

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  mposolda Marek Posolda
                  Reporter:
                  awodarczyk Arkadiusz Wodarczyk
                  Tester:
                  Mark True
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: