Module: check_mk
Branch: master
Commit: d9d7f6589515bc2d2a1a4228c5821384311a22a4
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d9d7f6589515bc…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Jan 16 10:11:35 2013 +0100
LDAP: Reduced number of ldap querys during a single page request / sync process
---
ChangeLog | 2 +
web/plugins/userdb/ldap.py | 45 +++++++++++++++++++++++++++++++++++++------
2 files changed, 40 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 106a27c..f6215ef 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -22,9 +22,11 @@
* Add: New user_options to limit seen nagios objects even the role is set to see all
* FIX: LDAP: Fixed problem with special chars in LDAP queries when having
contactgroup sync plugin enabled
+ * FIX: LDAP: OpenLDAP - Changed default filter for users
* LDAP: Role sync plugin validates the given group DNs with the group base dn now
* LDAP: Using roles defined in default user profile in role sync plugin processing
* LDAP: Improved error handling in case of misconfigurations
+ * LDAP: Reduced number of ldap querys during a single page request / sync process
1.2.1i4:
Core:
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 679dd52..d560bd1 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -49,6 +49,9 @@ except:
pass
from lib import *
+g_ladp_user_cache = {}
+g_ldap_group_cache = {}
+
# File for storing the time of the last success event
g_ldap_sync_time_file = defaults.var_dir + '/web/ldap_sync_time.mk'
@@ -75,7 +78,8 @@ ldap_filter_map = {
'groups': '(objectclass=group)',
},
'openldap': {
- 'users': '(objectcategory=user)',
+ #'users': '(objectcategory=user)',
+ 'users': '(objectclass=person)',
'groups': '(objectclass=groupOfUniqueNames)',
},
}
@@ -91,6 +95,9 @@ ldap_filter_map = {
# | General LDAP handling code |
# '----------------------------------------------------------------------'
+def ldap_log(s):
+ file('/tmp/ldap.log', 'a').write('%s\n' % s)
+
class MKLDAPException(MKGeneralException):
pass
@@ -169,6 +176,7 @@ def ldap_default_bind():
'connection settings</a>.'))
def ldap_bind(username, password, catch = True):
+ ldap_log('LDAP_BIND %s' % username)
try:
ldap_connection.simple_bind_s(username, password)
except ldap.LDAPError, e:
@@ -190,6 +198,8 @@ def ldap_search(base, filt = '(objectclass=*)', columns = [],
scope = None):
elif config_scope == 'one':
scope = ldap.SCOPE_ONELEVEL
+ ldap_log('LDAP_SEARCH "%s" "%s" "%s"
"%r"' % (base, scope, filt, columns))
+
# Convert all keys to lower case!
result = []
try:
@@ -248,6 +258,9 @@ def ldap_user_id_attr():
return config.ldap_userspec.get('user_id', ldap_attr('user_id'))
def ldap_get_user(username, no_escape = False):
+ if username in g_ldap_user_cache:
+ return g_ldap_user_cache[username]
+
# Check wether or not the user exists in the directory
# It's only ok when exactly one entry is found.
# Returns the DN and user_id as tuple in this case.
@@ -260,6 +273,9 @@ def ldap_get_user(username, no_escape = False):
if result:
dn = result[0][0]
user_id = result[0][1][ldap_user_id_attr()][0]
+
+ g_ldap_user_cache[username] = (dn, user_id)
+
if no_escape:
return (dn, user_id)
else:
@@ -290,20 +306,29 @@ def ldap_user_groups(username, attr = 'cn'):
# so the username read from ldap might differ. Fix it here.
user_dn, username = ldap_get_user(username)
+ if username in g_ldap_group_cache:
+ if attr == 'cn':
+ return g_ldap_group_cache[username][0]
+ else:
+ return g_ldap_group_cache[username][1]
+
# Apply configured group ldap filter and only reply with groups
# having the current user as member
filt = '(&%s(member=%s))' % (ldap_filter('groups'),
ldap.filter.escape_filter_chars(user_dn))
# First get all groups
- groups = []
+ groups_cn = []
+ groups_dn = []
for dn, group in
ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']),
filt, ['cn']):
- if attr == 'cn':
- groups.append(group['cn'][0])
+ groups_cn.append(group['cn'][0])
+ groups_dn.append(dn)
- elif attr == 'dn':
- groups.append(dn)
+ g_ldap_group_cache.setdefault(username, (groups_cn, groups_dn))
- return groups
+ if attr == 'cn':
+ return groups_cn
+ else:
+ return groups_dn
# .----------------------------------------------------------------------.
# | _ _ _ _ _ _ |
@@ -568,6 +593,12 @@ def ldap_sync(add_to_changelog, only_username):
# requests to e.g. the page hook would cause duplicate calculations
file(g_ldap_sync_time_file, 'w').write('%s\n' % time.time())
+ # Flush ldap related before each sync to have a caching only for the
+ # current sync process
+ global g_ldap_user_cache, g_ldap_group_cache
+ g_ldap_user_cache = {}
+ g_ldap_group_cache = {}
+
ldap_connect()
# Unused at the moment, always sync all users