LDAP group search doesn't use filter

Bug #1177630 reported by Brandon Miles on 2013-05-08
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Adam Young

Bug Description

It doesn't look like the LDAP search for the group list is using the filter specified in the config. If you have a large group OU, the performance hit is very noticeable.

The actual method is list_user_groups in the GroupApi class. I've attached the patch we've been using in production in case that helps.


Brandon Miles (brandon-miles-8) wrote :
summary: - Group search doesn't use filter
+ LDAP group search doesn't use filter
Dolph Mathews (dolph) on 2013-06-07
Changed in keystone:
importance: Undecided → Medium
tags: added: grizzly-backport-potential
Dolph Mathews (dolph) wrote :

Any chance you can sign the CLA and put that patch up for review? It looks fine to me as-is, other than overriding the `filter()` builtin, so I'd just write it as http://paste.openstack.org/raw/38243/

Changed in keystone:
status: New → Confirmed
Brandon Miles (brandon-miles-8) wrote :

Thanks Dolph, I'll put that patch up for review. I'll have to get it approved through our legal department first, so it may be a week or so before I can post it.

Dolph Mathews (dolph) wrote :


Adam Young (ayoung) on 2013-08-01
Changed in keystone:
assignee: nobody → Adam Young (ayoung)

Fix proposed to branch: master
Review: https://review.openstack.org/40283

Changed in keystone:
status: Confirmed → In Progress

Reviewed: https://review.openstack.org/40283
Committed: http://github.com/openstack/keystone/commit/ec9b1df7042e02660b39c75ad49ac4115b8f46ad
Submitter: Jenkins
Branch: master

commit ec9b1df7042e02660b39c75ad49ac4115b8f46ad
Author: Adam Young <email address hidden>
Date: Mon Aug 5 17:00:02 2013 -0400

    filter in ldap list_groups_for_user

    Bug 1177630

    Change-Id: I46d393c5f21330c5ab13539f0358fc80b1588660

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
Alan Pevec (apevec) on 2014-03-30
tags: removed: grizzly-backport-potential
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers