← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1398347] [NEW] LDAP backend should do filtered query instead of getting all data and then filtering

 

Public bug reported:

When I want to find entity (group/user) by name (using /v3/users?name=MyUser or /v3/groups?name=MyGroup) LDAP gets all data associated to entity (for example whole users database) and then filter it.
It should do filtering on query level in my opinion. It is very useful when having huge LDAP catalog.

How it works now:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for all user_filter matching  entities
2. Filters out user (MyUser) I am looking for

How it should work:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for user matching both user_filter and ({user_name_attribute}=MyUser)

{user_name_attribute} is of course from keystone.conf or
keystone.domainName.conf

This approach reduces data downloaded from LDAP and allows to have very large users database without shrinking it down by user_filter (no always possible) or using paging (also not always possible).
I heard that there was some effort to move filtering into query level but status is unknown.

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: ldap

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1398347

Title:
  LDAP backend should do filtered query instead of getting all data and
  then filtering

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When I want to find entity (group/user) by name (using /v3/users?name=MyUser or /v3/groups?name=MyGroup) LDAP gets all data associated to entity (for example whole users database) and then filter it.
  It should do filtering on query level in my opinion. It is very useful when having huge LDAP catalog.

  How it works now:
  If I want find user with name: MyUser...
  1. Keystone queries LDAP in user_tree_dn for all user_filter matching  entities
  2. Filters out user (MyUser) I am looking for

  How it should work:
  If I want find user with name: MyUser...
  1. Keystone queries LDAP in user_tree_dn for user matching both user_filter and ({user_name_attribute}=MyUser)

  {user_name_attribute} is of course from keystone.conf or
  keystone.domainName.conf

  This approach reduces data downloaded from LDAP and allows to have very large users database without shrinking it down by user_filter (no always possible) or using paging (also not always possible).
  I heard that there was some effort to move filtering into query level but status is unknown.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1398347/+subscriptions


Follow ups

References