Fixed dynamic group ldap access #23344
Conversation
getUserGroups: Using $userDN instead of $uid to query LDAP Converting groupDN to group name using API instead of substring Removing cache processing at the end of the method
|
By analyzing the blame information on this pull request, we identified @blizzz, @leo-b and @GreenArchon to be potential reviewers |
|
Thanks a lot for your contribution! Alternatively you can add a comment here where you state that this contribution is MIT licensed. Some more details about out pull request workflow can be found here: http://owncloud.org/code-reviews-on-github/ |
|
cc @owncloud/ldap |
| if(isset($this->cachedGroupsByMember[$uid])) { | ||
| $groups = $this->cachedGroupsByMember[$uid]; | ||
| } else { | ||
| $groups = array_values($this->getGroupsByMember($uid)); |
There was a problem hiding this comment.
this and following line is still necessary, or did I oversee anything?
There was a problem hiding this comment.
Of course it should not overwrite, but append to $groups
There was a problem hiding this comment.
@blizzz
I don't know (yet) how your caching is working? Is that cache in the DB or in memory. I have the impression (can't prove it yet) that something goes wrong with the caching because of the cachekeys. At the top of the function the cachekey is generate with the uid and then the cache is read, but at the end of the method, the cachedGroupByMember is written with the userDN (in our case).
I'm trying to put back the cache code in place and just noticed that although the dynamic groups are now working in my code, the "static" groups (based on "uniquemember") are no longer being added to the groups list...
There was a problem hiding this comment.
$this->cachedGroupsByMember[$uid]
only exists on run-time. It is a member array of the class instance.
What should not be kept is the caching part, but the fetching of the other groups.
There was a problem hiding this comment.
@blizzz
I think I've got the groups working (both dynamic and static) ... but I need to do some more tests and get back on Monday.
There was a problem hiding this comment.
@alexweirig sounds great, thank you.
added back the cache processing and fixed
spaces -> tab conversion
|
@blizzz � I committed my latest code changes that have both dynamic and static groups being correctly returned. I'm still having performance issues but I'm wondering if this might not be a rendering time issue. Maybe it's that multi-select combobox that is causing the problem since it's being loaded with some 50 groups for each user if LDAP returns 500 users, thats 25.000 entries? |
|
When looking at the server processes and the rendering in the browser, I get the impression that the poor performance is indeed in the Javascript processing of the users list. |
|
@blizzz These results are reproducible at will. Even though FF and Chrome are not fast, they're significantly faster than Safari. I don't have any other browser to compare to. All browsers are updated at their latest version. |
|
Thanks a lot for your contribution! Alternatively you can add a comment here where you state that this contribution is MIT licensed. Some more details about out pull request workflow can be found here: http://owncloud.org/code-reviews-on-github/ |
|
@blizzz So something has changed that performs very badly ... twice as slow on Chrome and FF and about 3 times as slow on Safari. |
|
Yeah, rendering performance is really bad. What also changed compared to older version is that we initially load more users. This will add up to the fun :( Otherwise nothing really changed with the Users page AFAIK. |
|
The code looks good, I'll give it some tests after lunch. @alexweirig in the past you declared your code MIT. Do you do again? #23344 (comment) |
| } | ||
| $groupName = $this->access->dn2groupname($dynamicGroup['dn'][0]); | ||
| if(is_string($groupName)) { | ||
| // be sure to never return false if the dn could not be |
There was a problem hiding this comment.
the indentation is broken (seen in my IDE), please use tabs instead of spaces.
Using tabs now
fixed another line with spaces instead of tab
|
Thanks a lot for your contribution! Alternatively you can add a comment here where you state that this contribution is MIT licensed. Some more details about out pull request workflow can be found here: http://owncloud.org/code-reviews-on-github/ |
|
👍 only formatting issues (I'd just fix intention and ship it in the jenkins-PR) |
|
@rperezb can we have some testing? |
|
@SergioBertolinSG @davitol can you help testing? |
|
What are the steps here? |
|
@SergioBertolinSG make sure that reading user groups (e.g. users page, personal page) continues to work. With and without configured memcache. As plus, get an LDAP setup where dynamic group memberships are existing. @alexweirig perhaps might give pointers, if needed? @alexweirig a wourd about your code's license or CLA? |
|
@blizzz our code is MIT licensed. in order to use dynamic groups:
Then you can try to add/remove the attribute used in the filter to see if the users is added or removed to/from the group. |
|
@blizzz When looking at 9.0.1 it seems the contribution did not make it? Am I right? |
|
@alexweirig yes, two reviewers are required to get this merged to master, subsequently we can do the backport for 9.0x. Thus, next possible release is 9.0.2. |
|
@blizzz OK, so you're one of the reviewers? |
|
@blizzz Anything new about this? Have you found a second reviewer? I'd like to upgrade our owncloud but want to do so if I don't have to patch the code again and again on our server. |
|
@SergioBertolinSG @davitol can you help testing this ? |
Yes, I'll give it a try. |
|
@alexweirig regarding #23344 (comment) How can I add this steps to an existing openldap server? |
|
@SergioBertolinSG Thanks for offering your support. Actually I don't think you need to add anything to the server. I would expect that it is enough to define a new group with the following objectClass(es): You then add the following attributes: memberURL must have the following format: this should give you a dynamic group that owncloud would be able to process and show you the list of users matching the filter We're using a 389DS/IPA from RHEL so some terms tend to change compared to OpenLDAP. HTH Alex |
|
Trying to add ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/dyngroup.schema |
|
#23344 (comment) @karlitschek what's the process for MIT-licensed code? |
|
if stated that the code is MIT licensed as above then this is fine. fully compatible and no cla needed. but this has been done in every pull request. in the long run a signed cla is easier for everyone |
|
thanks |
|
@karlitschek Hello, I'm sending you the CLA to the email address specified on the CLA website. |
|
Hello, Thanks Alex |
|
@SergioBertolinSG @davitol @blizzz did you guys eventually managed to test this ? |
|
Let's move this forward in the internal PR because there are additional fixes included: #23450 |
|
@alexweirig This is not dead - it was just moved to another branch and therefore another PR :) |
|
@alexweirig the testing-branch was finally merged #23450 \o/ Thank you for the contribution and my sincere apologies it took so long to review and test it! |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
getUserGroups:
Using $userDN instead of $uid to query LDAP
Converting groupDN to group name using API instead of substring
Removing cache processing at the end of the method