Authentification with LDAP very slow

yac_w · 8 August 2017 19:53

hello all
i had install librenms and when i used mysql authentification it was very fast to access to librenms but i used the ldap authentification and now is very very very slow to access to librenms
and And there is a lot of query between ldap serveur and librenms serveur
can you help me please
thank you

network-guy · 10 August 2017 03:18

It’s expected to have a lot of calls to the LDAP server. It needs to query it to validate permissions and group membership. If your logins are slow then either the LDAP server is slow to respond or you have high latency between the LibreNMS server and the LDAP server.

FTBZ · 10 August 2017 12:48

Very very very slow is probably too slow

Post here your LDAP configuration if you want to be sure (removing the confidential information).

yac_w · 10 August 2017 13:34

hi @FTBZ no the ldap serveur is not slow because i use it with another application and is very fast

// Authentication Model
$config[‘auth_mechanism’] = ‘ldap’;
$config[‘allow_unauth_graphs’] = 1;
$config[‘auth_ldap_server’] = ‘ldap://ldapserveur.fr’;
$config[‘auth_ldap_port’] = 389;
$config[‘auth_ldap_starttls’] = FALSE;
$config[‘auth_ldap_prefix’] = ‘uid=’;
$config[‘auth_ldap_suffix’] = ‘,ou=Users,ou=People,dc=prd,dc=mutu,dc=fr’;
$config[‘auth_ldap_group’] = ‘cn=SECDOM0000046,ou=SECDOM,ou=HostAccess,ou=Groups,dc=prd,dc=mutu,dc=fr’;
$config[‘auth_ldap_groupbase’] = ‘ou=Groups,dc=prd,dc=met,dc=fr’;
$config[‘auth_ldap_groupmembertype’] = “fulldn”; // Available membertypes: ‘nodn’ (default, uses $username);
$config[‘auth_ldap_groupmemberattr’] = “uniqueMember”; // Use your unique attribute for username, example “uniqueMember”.
$config[‘auth_ldap_version’] = 3;
$config[‘auth_ldap_groups’][’’][‘level’] = 5;

louis · 29 October 2019 17:48

The reason for this is that function getUserlist in LibreNMS/Authentication/LdapAuthorizer.php extract list of user of groups in $config[‘auth_ldap_groups’] by using menberof filter.

If menberof filter is not supported by ldap server, the function fallbacks to a process where all the user of ldap is parsed to know whether they are member of $config[‘auth_ldap_groups’]. Search for “// probably doesn’t support memberOf, go through all users, this could be slow in the code”

LDAP authentication needs to be rewritten

louis · 29 October 2019 19:26

github.com/librenms/librenms

Fix LDAP slow login

librenms:master ← louis-6wind:ldap

opened 07:23PM - 29 Oct 19 UTC

louis-6wind

+17 -3

Related to https://community.librenms.org/t/authentification-with-the-ldab-very-…slow/1836/4 Do not parse all user if fallback of memberof DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [X] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply <pr_id>`, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert.

Fix works for me. @yac_w, please test it

louis · 8 November 2019 14:22

Hello,

I have tested my fix successfully but I need somebody else to test the fix.

In order to test the code, assuming app is in /opt/librenms :
cp -p /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php.old
wget https://raw.githubusercontent.com/louis-oui/librenms/ldap/LibreNMS/Authentication/LdapAuthorizer.php -O /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php

To revert change :
cp -p /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php.old /opt/librenms/LibreNMS/Authentication/LdapAuthorizer.php

louis · 12 November 2019 14:30

There are scripts to test PRs: ./scripts/github-apply 10760 and to rollback to original code ./scripts/github-remove -d