How to avoid contacting ldap in every user query

sotirisk · June 10, 2022, 12:56pm

i have setup user federation in keycloak with ldap . i have used open ldap with one user.
user has been imported successfully and he is visible in the list of users with the correct attributes.
the problem is that ldap is searched for every user query and that creates an ldap performance problem.
i have searched for some configuration option for limiting ldap queries but i couldnt find any

this is the kubectl log output of openldap

62a33f16 conn=4543 fd=17 ACCEPT from IP=172.17.0.1:58012 (IP=0.0.0.0:389)
62a33f16 conn=4543 fd=17 closed (connection lost)
62a33f16 conn=4544 fd=17 ACCEPT from IP=172.17.0.1:58014 (IP=0.0.0.0:389)
62a33f16 conn=4544 fd=17 closed (connection lost)
62a33f17 conn=4545 fd=17 ACCEPT from IP=172.17.0.7:51384 (IP=0.0.0.0:389)
62a33f17 conn=4546 fd=18 ACCEPT from IP=172.17.0.7:51386 (IP=0.0.0.0:389)
62a33f17 conn=4546 op=0 BIND dn=“cn=admin,dc=example,dc=org” method=128
62a33f17 conn=4546 op=0 BIND dn=“cn=admin,dc=example,dc=org” mech=SIMPLE ssf=0
62a33f17 conn=4546 op=0 RESULT tag=97 err=0 text=
62a33f17 conn=4546 op=1 SRCH base=“dc=example,dc=org” scope=1 deref=3 filter="(&(cn=billy)(objectClass=inetOrgPerson)(objectClass=organizationalPerson))"
62a33f17 conn=4546 op=1 SRCH attr=entryUUID mail cn sn objectclass createTimestamp modifyTimestamp
62a33f17 <= mdb_equality_candidates: (cn) not indexed
62a33f17 conn=4546 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
62a33f17 conn=4547 fd=19 ACCEPT from IP=172.17.0.7:51388 (IP=0.0.0.0:389)
62a33f17 conn=4547 op=0 BIND dn=“cn=admin,dc=example,dc=org” method=128
62a33f17 conn=4547 op=0 BIND dn=“cn=admin,dc=example,dc=org” mech=SIMPLE ssf=0
62a33f17 conn=4547 op=0 RESULT tag=97 err=0 text=
62a33f17 conn=4547 op=1 SRCH base=“dc=example,dc=org” scope=1 deref=3 filter="(&(cn=billy)(objectClass=inetOrgPerson)(objectClass=organizationalPerson))"
62a33f17 conn=4547 op=1 SRCH attr=entryUUID mail cn sn objectclass createTimestamp modifyTimestamp
62a33f17 <= mdb_equality_candidates: (cn) not indexed
62a33f17 conn=4547 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

the request is
curl --noproxy ‘*’ -X GET -v -H “Authorization: Bearer $token” -k -d “client_id=admin-cli” -d “username=admin” -d “password=1234” -d “grant_type=password” -d “client_secret” “https://172.17.0.7:8443/auth/admin/realms/master/users”

Topic		Replies	Views
Behavior of user federation Configuring the server user-federation , ldap	2	1002	October 27, 2022
Reduce LDAP Queries Configuring the server admin-rest , ldap	3	725	June 13, 2023
User federation LDAP filtering Getting advice admin-console , user-federation , ldap	0	1201	January 10, 2022
Providing a password for user federation LDAP username Getting advice ldap	1	460	July 12, 2021
Too many LDAP user federation connections Getting advice user-federation , ldap	2	427	July 21, 2022

How to avoid contacting ldap in every user query

Related Topics