52464 – mod_authnz_ldap does expensive sub-group processing prematurely

Bug 52464 - mod_authnz_ldap does expensive sub-group processing prematurely

Summary: mod_authnz_ldap does expensive sub-group processing prematurely

Status:	RESOLVED FIXED

Alias:	None

Product:	Apache httpd-2
Classification:	Unclassified
Component:	mod_authnz_ldap (show other bugs)
Version:	2.5-HEAD
Hardware:	PC Linux

Importance:	P2 normal (vote)
Target Milestone:	---
Assignee:	Apache HTTPD Bugs Mailing List

URL:
Keywords:	FixedInTrunk

Depends on:
Blocks:

Reported:	2012-01-13 16:31 UTC by Eric Covener
Modified:	2012-08-21 15:56 UTC (History)
CC List:	0 users

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Eric Covener 2012-01-13 16:31:23 UTC

When a group has lots of non-subgroup users in it, the default AuthLDAPSubGroupAttribute will not screen out these users and mod_ldap will do an ldap_compare to check if each user is of class AuthLDAPSubGroupClass to determine if it's a subgroup.

This causes a large flat group to generate many compares / take a long time if we check them for subgroups.


Meanwhile. AuthLDAPGroupAttribute makes us iterate through different attributes, but we don't check all the attributes for a flat-group match before trying subgroups.

Comment 1 Rainer Jung 2012-08-21 15:49:08 UTC

This has been fixed with r1231255, r1231257 for trunk and with r1374256 for 2.4.x.
It is part of the release 2.4.3.

Keeping issue open for others to decide whether a backport for 2.2 is recommended.

Comment 2 Eric Covener 2012-08-21 15:56:55 UTC

no nested groups in 2.2