Merge pull request #533 from cchurch/cache_ldap_user_groups

Prefetch LDAP user groups to reduce queries for checking group membership
2026-01-17 04:31:21 -03:30 · 2015-12-16 11:28:30 -05:00 · 2015-12-16 11:28:30 -05:00 · 63a2299dd2
commit 63a2299dd2
parent 70e9d621c0 8552ea91a8
5 changed files with 38 additions and 9 deletions
--- a/awx/main/tests/users.py
+++ b/awx/main/tests/users.py
@ -929,7 +929,7 @@ class LdapTest(BaseTest):
        if not self.ldap_password:
            self.skipTest('no test LDAP password defined')
        # Set test LDAP settings that are always needed.
-        for name in ('SERVER_URI', 'BIND_DN', 'BIND_PASSWORD', 'USE_TLS'):
+        for name in ('SERVER_URI', 'BIND_DN', 'BIND_PASSWORD', 'USE_TLS', 'CONNECTION_OPTIONS'):
            self.use_test_setting(name)

    def check_login(self, username=None, password=None, should_fail=False):
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@ -4,6 +4,7 @@
 import os
 import re  # noqa
 import sys
+import ldap
 import djcelery
 from datetime import timedelta

@ -231,6 +232,12 @@ AUTHENTICATION_BACKENDS = (
 # LDAP server (default to None to skip using LDAP authentication).
 AUTH_LDAP_SERVER_URI = None

+# Disable LDAP referrals by default (to prevent certain LDAP queries from
+# hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
+
 # Radius server settings (default to empty string to skip using Radius auth).
 RADIUS_SERVER = ''
 RADIUS_PORT = 1812
--- a/awx/settings/local_settings.py.docker_compose
+++ b/awx/settings/local_settings.py.docker_compose
@ -167,6 +167,11 @@ LOGGING['handlers']['syslog'] = {
 # Refer to django-auth-ldap docs for more details:
 # http://pythonhosted.org/django-auth-ldap/authentication.html

+# Imports needed for LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
+
 # LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
 # "ldaps://ldap.example.com:636" (SSL).  LDAP authentication is disable if this
 # parameter is empty.
@ -183,10 +188,11 @@ AUTH_LDAP_BIND_PASSWORD = ''
 # Enable TLS when the connection is not using SSL.
 AUTH_LDAP_START_TLS = False

-# Imports needed for remaining LDAP configuration.
-import ldap
-from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
-from django_auth_ldap.config import ActiveDirectoryGroupType
+# Additional options to set for the LDAP connection.  LDAP referrals are
+# disabled by default (to prevent certain LDAP queries from hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}

 # LDAP search query to find users.
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
@ -334,6 +340,9 @@ TEST_AUTH_LDAP_SERVER_URI = ''
 TEST_AUTH_LDAP_BIND_DN = ''
 TEST_AUTH_LDAP_BIND_PASSWORD = ''
 TEST_AUTH_LDAP_START_TLS = False
+TEST_AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}

 # LDAP username/password for testing authentication.
 TEST_AUTH_LDAP_USERNAME = ''
--- a/awx/settings/local_settings.py.example
+++ b/awx/settings/local_settings.py.example
@ -165,6 +165,11 @@ LOGGING['handlers']['syslog'] = {
 # Refer to django-auth-ldap docs for more details:
 # http://pythonhosted.org/django-auth-ldap/authentication.html

+# Imports needed for LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
+
 # LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
 # "ldaps://ldap.example.com:636" (SSL).  LDAP authentication is disable if this
 # parameter is empty.
@ -181,10 +186,11 @@ AUTH_LDAP_BIND_PASSWORD = ''
 # Enable TLS when the connection is not using SSL.
 AUTH_LDAP_START_TLS = False

-# Imports needed for remaining LDAP configuration.
-import ldap
-from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
-from django_auth_ldap.config import ActiveDirectoryGroupType
+# Additional options to set for the LDAP connection.  LDAP referrals are
+# disabled by default (to prevent certain LDAP queries from hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}

 # LDAP search query to find users.
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
@ -332,6 +338,9 @@ TEST_AUTH_LDAP_SERVER_URI = ''
 TEST_AUTH_LDAP_BIND_DN = ''
 TEST_AUTH_LDAP_BIND_PASSWORD = ''
 TEST_AUTH_LDAP_START_TLS = False
+TEST_AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}

 # LDAP username/password for testing authentication.
 TEST_AUTH_LDAP_USERNAME = ''
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@ -199,6 +199,10 @@ def on_populate_user(sender, **kwargs):
    ldap_user = kwargs['ldap_user']
    backend = ldap_user.backend

+    # Prefetch user's groups to prevent LDAP queries for each org/team when
+    # checking membership.
+    ldap_user._get_groups().get_group_dns()
+
    # Update organization membership based on group memberships.
    org_map = getattr(backend.settings, 'ORGANIZATION_MAP', {})
    for org_name, org_opts in org_map.items():