WIP: optimizations for LDAP group membership resolution (!215) · Merge requests · GitLab.org / GitLab

username-removed-114630 requested to merge cernvcs/gitlab-ee:feature/fast_ad_ldap_membership into master Feb 23, 2016

This MR brings several performance improvements and fixes to LDAP group sync:

Use Windows SID to speed up group membership resolution when available (in an AD environment); SIDs allow to evaluate group membership without querying the LDAP groups, at the cost of storing the group's SID in the GitLab database
Reduce database round-trips in LDAP group sync by preloading groups a user already has access to
Treat group CN case-insensitively - fixes #288
Prevent LDAP group sync from creating orphan groups - fixes #325 (closed)

In our environment with several hundred LdapGroupLinks and Active Directory, on a server with no load this speeds up a "slow click" from 7000ms to 1900ms and the daily LDAP sync task from 180 min to 80 min.

We propose this as a step forward with regards to #278; this is compatible with !190 (merged)

WIP as tests and update of the LDAP doc are still missing, but we'd appreciate feedback on the approach before completing the work.

Admin message

Admin message

WIP: optimizations for LDAP group membership resolution

Merge request reports