[horde] ldap + performance

Jan Schneider jan at horde.org
Mon Jun 17 11:52:15 UTC 2013 

Zitat von Andreas Schulze <sca at andreasschulze.de>:

> Hi again,
>
> My userdatabase is an ldap server. So I have:
> $conf['ldap']['hostspec'] = 'ldaps://ldap.example.org';
> $conf['ldap']['tls'] = false;
> $conf['ldap']['version'] = 3;
> $conf['ldap']['binddn'] = 'cn=horde,dc=local';
> $conf['ldap']['bindpw'] = 'test';
> $conf['ldap']['bindas'] = 'horde';
> $conf['ldap']['useldap'] = true;
> $conf['auth']['params']['driverconfig'] = 'horde';
>
> I noticed, horde contact the ldap-server on every page requested.  
> Even if it's /test.php
>
> 51bb907e conn=1069 fd=11 ACCEPT from horde.example.org (IP=[2001...]:636)
> 51bb907e conn=1069 fd=11 TLS established tls_ssf=128 ssf=128
> 51bb907e conn=1069 op=0 BIND dn="cn=horde,dc=local" method=128
> 51bb907e conn=1069 op=0 BIND dn="cn=horde,dc=local" mech=SIMPLE ssf=0
> 51bb907e conn=1069 op=0 RESULT tag=97 err=0 text=
> 51bb907e conn=1069 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
> 51bb907e conn=1069 op=1 SRCH attr=vendorName vendorVersion  
> namingContexts altServer supportedExtension supportedControl  
> supportedSASLMechanisms supportedLDAPVersion subschemaSubentry
> 51bb907e conn=1069 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 51bb907e conn=1069 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
> 51bb907e conn=1069 op=2 SRCH attr=subschemaSubentry
> 51bb907e conn=1069 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
> 51bb907e conn=1069 op=3 SRCH base="cn=dvSubSchema" scope=0 deref=0  
> filter="(objectClass=*)"
> 51bb907e conn=1069 op=3 SRCH attr=attributeTypes dITContentRules  
> dITStructureRules matchingRules matchingRuleUse nameForms  
> objectClasses ldapSyntaxes
> 51bb907e conn=1069 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text=
> 51bb907e conn=1069 op=4 UNBIND
> 51bb907e conn=1069 fd=11 closed
>
> That takes only 0.1 sec, but *every* request...
>
> Any suggestions to access ldap really only for authentication purposes?
> Thanks
>
> Andreas

This is not easily possible. For example if binding to the server with  
the user credentials, we need to search the user DN when  
*instantiating* the LDAP backend, this cannot be done on demand. At  
least not with how the LDAP library is currently designed.
-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the horde mailing list