Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduce redundant LDAP calls without caching #290

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

piyush-sadangi
Copy link
Contributor

@piyush-sadangi piyush-sadangi commented Apr 12, 2024

Applicable Issues

Description of the Change

Basics
LDAP protocol: It is a protocol used for accessing and maintaining distributed directory information services over a network. It's commonly used for managing user information and facilitating authentication and authorization.

LDAP Directory: This acts like a database, but unlike traditional databases that are table-based, LDAP directories are tree-structured. They store entries (like users) in a hierarchical format.
Context Source (LdapContextSource):

LdapContextSource: It is a configuration setup that provides details about how to connect to the LDAP server. It includes information such as the URL of the LDAP server, credentials to access it (if necessary), and the base directory from which to perform operations.

Direct Bind: In LDAP terminology, "binding" is the method by which LDAP clients authenticate to the LDAP server. A "direct bind" involves attempting to connect (or "bind") to the LDAP server using a complete user DN (Distinguished Name, which is the unique path to a specific entry in the LDAP directory) and password.

BindAuthenticator: This is a component used in Spring Security that performs authentication by attempting a direct bind with the LDAP server. It's different from just querying the server with a username/password combination; it actually tries to establish a connection using those credentials.

How BindAuthenticator works?

  1. Search and Bind: First, a search is conducted in the LDAP directory to find the user's DN based on a username provided during the authentication process.
    Once the DN is located, BindAuthenticator attempts to bind to the LDAP server using that DN and the password supplied by the user.
  2. Configuration: You configure BindAuthenticator with a LdapContextSource (provides connection details to LDAP) and possibly a user search mechanism (FilterBasedLdapUserSearch in your setup), which helps locate the user's DN based on a search filter.

Earlier vs Now approach

  1. Earlier: We relied on a high-level abstration that uses Spring Security's ldapAuthentication() DSL (Domain Specific Language) to simplify the configuration. Internally it performs many of the same steps as the manual configuration, but with reasonable defaults. This was leading to 6 LDAP calls.
  2. Now: We switched to BindAuthenticator to have precise control over the LDAP authentication setup. It combines the search and authentication steps into a closely managed process. This reduces the overhead of separate calls for user retrieval and verification.

On closely, monitoring the wireshark details, we see reduction of LDAP calls from 6 to 4, with BindAuthenticator removing redundant LDAP calls.

Alternate Designs

Possible Drawbacks

Sign-off

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

Signed-off-by:

@piyush-sadangi piyush-sadangi force-pushed the ldapCalls branch 4 times, most recently from 89681c5 to b441b53 Compare April 22, 2024 08:43
Copy link
Contributor

@shudhansu-shekhar shudhansu-shekhar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

Copy link
Contributor

@vishnu-alapati vishnu-alapati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested, working as expected.

Copy link
Contributor

@vishnu-alapati vishnu-alapati left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested, working as expected

Copy link
Contributor

@shudhansu-shekhar shudhansu-shekhar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Look fine

@jainadc9 jainadc9 changed the title EIFA:369: Reduce redundant LDAP calls without caching Reduce redundant LDAP calls without caching Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants