[checkmk-commits] Check_MK Git: check_mk: LDAP: Reduced number of ldap querys during a single page request / sync process

Module: check_mk Branch: master Commit: d9d7f6589515bc2d2a1a4228c5821384311a22a4 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d9d7f6589515bc… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Wed Jan 16 10:11:35 2013 +0100 LDAP: Reduced number of ldap querys during a single page request / sync process --- ChangeLog | 2 + web/plugins/userdb/ldap.py | 45 +++++++++++++++++++++++++++++++++++++------ 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 106a27c..f6215ef 100644 --- a/ChangeLog +++ b/ChangeLog @@ -22,9 +22,11 @@ * Add: New user_options to limit seen nagios objects even the role is set to see all * FIX: LDAP: Fixed problem with special chars in LDAP queries when having contactgroup sync plugin enabled + * FIX: LDAP: OpenLDAP - Changed default filter for users * LDAP: Role sync plugin validates the given group DNs with the group base dn now * LDAP: Using roles defined in default user profile in role sync plugin processing * LDAP: Improved error handling in case of misconfigurations + * LDAP: Reduced number of ldap querys during a single page request / sync process 1.2.1i4: Core: diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py index 679dd52..d560bd1 100644 --- a/web/plugins/userdb/ldap.py +++ b/web/plugins/userdb/ldap.py @@ -49,6 +49,9 @@ except: pass from lib import * +g_ladp_user_cache = {} +g_ldap_group_cache = {} + # File for storing the time of the last success event g_ldap_sync_time_file = defaults.var_dir + '/web/ldap_sync_time.mk' @@ -75,7 +78,8 @@ ldap_filter_map = { 'groups': '(objectclass=group)', }, 'openldap': { - 'users': '(objectcategory=user)', + #'users': '(objectcategory=user)', + 'users': '(objectclass=person)', 'groups': '(objectclass=groupOfUniqueNames)', }, } @@ -91,6 +95,9 @@ ldap_filter_map = { # | General LDAP handling code | # '----------------------------------------------------------------------' +def ldap_log(s): + file('/tmp/ldap.log', 'a').write('%s\n' % s) + class MKLDAPException(MKGeneralException): pass @@ -169,6 +176,7 @@ def ldap_default_bind(): 'connection settings</a>.')) def ldap_bind(username, password, catch = True): + ldap_log('LDAP_BIND %s' % username) try: ldap_connection.simple_bind_s(username, password) except ldap.LDAPError, e: @@ -190,6 +198,8 @@ def ldap_search(base, filt = '(objectclass=*)', columns = [], scope = None): elif config_scope == 'one': scope = ldap.SCOPE_ONELEVEL + ldap_log('LDAP_SEARCH "%s" "%s" "%s" "%r"' % (base, scope, filt, columns)) + # Convert all keys to lower case! result = [] try: @@ -248,6 +258,9 @@ def ldap_user_id_attr(): return config.ldap_userspec.get('user_id', ldap_attr('user_id')) def ldap_get_user(username, no_escape = False): + if username in g_ldap_user_cache: + return g_ldap_user_cache[username] + # Check wether or not the user exists in the directory # It's only ok when exactly one entry is found. # Returns the DN and user_id as tuple in this case. @@ -260,6 +273,9 @@ def ldap_get_user(username, no_escape = False): if result: dn = result[0][0] user_id = result[0][1][ldap_user_id_attr()][0] + + g_ldap_user_cache[username] = (dn, user_id) + if no_escape: return (dn, user_id) else: @@ -290,20 +306,29 @@ def ldap_user_groups(username, attr = 'cn'): # so the username read from ldap might differ. Fix it here. user_dn, username = ldap_get_user(username) + if username in g_ldap_group_cache: + if attr == 'cn': + return g_ldap_group_cache[username][0] + else: + return g_ldap_group_cache[username][1] + # Apply configured group ldap filter and only reply with groups # having the current user as member filt = '(&%s(member=%s))' % (ldap_filter('groups'), ldap.filter.escape_filter_chars(user_dn)) # First get all groups - groups = [] + groups_cn = [] + groups_dn = [] for dn, group in ldap_search(ldap_replace_macros(config.ldap_groupspec['dn']), filt, ['cn']): - if attr == 'cn': - groups.append(group['cn'][0]) + groups_cn.append(group['cn'][0]) + groups_dn.append(dn) - elif attr == 'dn': - groups.append(dn) + g_ldap_group_cache.setdefault(username, (groups_cn, groups_dn)) - return groups + if attr == 'cn': + return groups_cn + else: + return groups_dn # .----------------------------------------------------------------------. # | _ _ _ _ _ _ | @@ -568,6 +593,12 @@ def ldap_sync(add_to_changelog, only_username): # requests to e.g. the page hook would cause duplicate calculations file(g_ldap_sync_time_file, 'w').write('%s\n' % time.time()) + # Flush ldap related before each sync to have a caching only for the + # current sync process + global g_ldap_user_cache, g_ldap_group_cache + g_ldap_user_cache = {} + g_ldap_group_cache = {} + ldap_connect() # Unused at the moment, always sync all users