For the record:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
reports in note 19 that specifying the object class can be dramatically
faster, so e.g.
(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
as the group membership filter should be faster than
(member:1.2.840.113556.1.4.1941:={0})
if using the `Search for groups containing user` strategy
On 10 June 2014 11:51, teilo <[email protected]> wrote:
>
>
> On Thursday, 22 May 2014 16:12:52 UTC+1, Stephen Connolly wrote:
>>
>> OK, so there is now rumoured to be a faster and better way to look up the
>> groups that a user belongs to in the LDAP 1.10 plugin.
>>
>> I say rumoured because due to the complexities of Active Directory server
>> configurations, one can never be quite sure until one has had a fair amount
>> of testing.
>>
>> To that end, please could you set up a simple test Jenkins instance and
>> upgrade to ldap:1.10 and configure the `Parse user attribute for list of
>> groups` group membership strategy (again rumour has it that on Active
>> Directory the attribute `memberOf` is the magic attribute.
>>
>> See if that ends up giving you the same JENKINS_URL/whoAmI list of groups
>> as when you have the `Search for groups containing user` set with the
>> filter being `(member:1.2.840.113556.1.4.1941:={0})`... though the `Parse
>> user attribute for list of groups` should be very very fast for login while
>> the `Search for groups containing user` could take *ages*.
>>
>
> it gives the same results as 1.8 - when used without the
> LDAP_MATCHING_RULE_IN_CHAIN extension. (ie 'search groups containing user'
> = "(member={0})" )
>
> using the above OID on large installations is not possible as single
> queries take over 90 seconds and are culled by the AD server.
>
> it is faster than 1.8 for the same results - but it sounds like you where
> expecting recursive groups to be supported?
>
>
>
>> Respond back here with your findings so that I can remove the Red text on
>> the version history about this being a rumour
>>
>
> /James
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
