Optimize LDAP group sync operations
Separate the LDAP group sync process from the regular LDAP access checks and optimize.
So far, this is a somewhat working PoC that splits the group sync operation to a new worker. It updates all members for a group as it iterates, instead of looping through users and updating groups that way. I am adding lots of logging because this would have been extremely helpful in the past.
There are lots of things still broken, or not considered. However, at least group members are added and updated when I use it in my idyllic dev environment
-
Sync groups -
Sync admins -
Make it work with all type of LDAP groups (with member, member_uid, etc. attributes) -
Update tests -
Document - Moved to https://gitlab.com/gitlab-org/gitlab-ee/issues/397 -
Add scheduled job? (and associated config)
Do these in another merge request
-
Answer: Do we still need some sort of sync on user sign in? No, not possible -
Answer: Should sync time be configurable? Maybe, let's wait and see if it's requested. -
Answer: Should the group button to 'Reset cache' be changed to 'Sync now'? Yes, see https://gitlab.com/gitlab-org/gitlab-ee/issues/399 and https://gitlab.com/gitlab-org/gitlab-ee/issues/398