I’ve configured our Rancher server to use our AD LDAP for authentication.
This works, but the initial login takes a very long time – like 30sec or more! After connecting, all seems to work, but I suspect group selection in the ‘Edit Environment’ is also affected by the same thing because it seems to go on forever.
We have a very large AD – many thousands of groups, though my user is only in fifty or so – and about 50 thousand user objects. I don’t know if this is related to the issue. Other applications are working find, though I have come across others in the past that made an assumption on a small LDAP and needs to have additional filters defined.
Is this a known problem? Has Rancher LDAP integration been tested with a very large LDAP? If scale is a problem, wouldit be possible to add configurable filters to restrict to a certain subset of groups/users?
We know it’s too slow even with a smallish number of users and groups, especially over a long connection (e.g. to AD on a host in a different datacenter/cloud), and will be working to improve it.
I believe the primary problem is essentially looping over all your memberships to get info about the group. When it’s all finally done that gets turned into a jwt (token) so we don’t have to talk to AD again to authorize requests.
Hmm, and I’m in about 50+ groups, and students can be in one or more for every module they take. No wonder it is a trifle slow. Would be quicker to allow us to specify a user root and group root, and optional search filters, and then retrieve groups in one windowed query (has to be windowed else AD query limits stop you from retrieving all the items in one hit when there are a lot of groups)
I did notice that the group dropdown took forever, but once it was finished, it worked quickly every time after that. I guess you cache this either in a token or in the database?