Problem with slow token issuing when using many ldap mappers

Hi,

We have a problem with our Keycloak environment which is only happening in our productive environment because in production we have much more users and configurted clients.

This environment has an external ldap attached. There are seven realms configured but the largest one has a lot of clients(>500) configured. To not overload the tokens with roles about 150 of these clients have a (client-specific) ldap mapper configured to only use the necessary roles. This seems to lead to very slow response times of the token endpoint. It can take up to 8 seconds to issue a token. This is too long for some applications that are timing out the authentication requests after 5 seconds and leads to a poor user experience in general.
In our QA environment this problem does not exist but we don’t have nearly as many mappers configured there. But we have reproducted the issue in QA using a dedicated realm with about 1000 ldap mappers. In the logs we can clearly see for issued token are all ldap mappers executed… Also the other, less used, realms are also faster.

We are wondering why the mappers seem to slow down the issuing of tokens although we have configured them being client specific not realm roles mapping. We would expect that only the mappers that the client needs get used but our logging shows that mappers that don’t belong to the client get executed as well which slows down token issuing. We have already updated our environment from Keycloak 6 to Keycloak 8.0.2 which did not help.

An example LDAP mapper configuration:

{
“id” : “x-000000000101”,
“name” : “ldap-groups-mapped-to-roles”,
“providerId” : “role-ldap-mapper”,
“providerType” : “org.keycloak.storage.ldap.mappers.LDAPStorageMapper”,
“parentId” : “x-000000000001”,
“config” : {
“mode” : [ “READ_ONLY” ],
“membership.attribute.type” : [ “DN” ],
“user.roles.retrieve.strategy” : [ “LOAD_ROLES_BY_MEMBER_ATTRIBUTE” ],
“roles.dn” : [ “cn=Resources,ou=x,dc=y” ],
“membership.user.ldap.attribute” : [ “uid” ],
“membership.ldap.attribute” : [ “uniquemember” ],
“role.name.ldap.attribute” : [ “cn” ],
“roles.ldap.filter” : [ “(|(cn=GROUP1_)(cn=GROUP2_))” ],
“use.realm.roles.mapping” : [ “false” ],
“role.object.classes” : [ “groupOfUniqueNames” ],
“client.id”: [ “[clientid]” ]
}

Does anybody have experienced something similar? Or are there any settings we are missing that might help?

2 Likes

Hi Bboortz,

We are facing a similar issue now. Did you guys find any solution or work around for this.

Thanks!!

Problem is when client has configured Full Scope Allowed: ON usually. Then all LDAP mappers are executed when token is issued and token endpoint will have slow response.

1 Like