1) Why did it perform 2 search requests before bind? The first one with filterstr=(&(<email address hidden>)(objectClass=ibmPerson)) is sufficient to get dn to bind against.
2) I also don't understand two identical search requests with filterstr=(&(uid=R87162821)(objectClass=ibmPerson)) after bind was successfully performed. So instead of doing search&bind, it does search+search+bind+search+search...
3) If I additionally enable "user_enabled_emulation", LDAP backend performs x2 more search requests, which degrades performance significantly. But seems like it's already addressed in #1299033.
2014.2.1 on CentOS 7
My LDAP config:
* /etc/keystone/ domains/ keystone. bluepages. conf bluepages. ibm.com bluepages, o=ibm.com attribute = emulation = True emulation_ dn = cn=openstack, ou=memberlist, ou=ibmgroups, o=ibm.com
[ldap]
url = ldap://
query_scope = one
user_tree_dn = c=ru,ou=
user_objectclass = ibmPerson
user_id_attribute = uid
user_name_attribute = mail
user_mail_attribute = mail
user_pass_attribute =
user_enabled_
#user_enabled_
#user_enabled_
user_allow_create = False
user_allow_update = False
user_allow_delete = False
[identity] identity. backends. ldap.Identity
driver = keystone.
I was experimenting with requesting of auth tokens:
* token-req.json
"methods" : [
"password"
"password" : {
"user" : {
" domain" : {
"name" : "bluepages"
} ,
" name": "<email address hidden>",
" password" : "passw0rd"
{
"auth": {
"identity": {
],
}
}
}
}
}
$ curl -si -d @token-req.json -H "Content-type: application/json" http:// localhost: 35357/v3/ auth/tokens
This works fine, however I see excessive LDAP requests in keystone.log:
2014-12-23 21:26:48.783 24458 DEBUG keystone. common. ldap.core [-] LDAP init: url=ldap: //bluepages. ibm.com _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:571 common. ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:575 common. ldap.core [-] LDAP search: base=c= ru,ou=bluepages ,o=ibm. com scope=1 filterstr=(&(<email address hidden> )(objectClass= ibmPerson) ) attrs=['', 'uid', 'mail'] attrsonly=0 search_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:926 common. ldap.core [-] LDAP unbind unbind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:899 identity. core [-] ID Mapping - Domain ID: 9311e7259dc145a 4a5acbe829f77cf 1b, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_ id_and_ mapping /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 321 identity. core [-] Local ID: R87162821 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 339 identity. core [-] Found existing mapping to public ID: 8136eec10a5c7f6 d61f130e875687f 50368c5d8bdfd53 454a9647e69b513 2991 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 352 common. ldap.core [-] LDAP init: url=ldap: //bluepages. ibm.com _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:571 common. ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:575 common. ldap.core [-] LDAP search: base=c= ru,ou=bluepages ,o=ibm. com scope=1 filterstr= (&(uid= R87162821) (objectClass= ibmPerson) ) attrs=['', 'uid', 'mail'] attrsonly=0 search_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:926 common. ldap.core [-] LDAP unbind unbind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:899 common. ldap.core [-] LDAP init: url=ldap: //bluepages. ibm.com _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:571 common. ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:575 common. ldap.core [-] LDAP bind: who=uid= R87162821, c=ru,ou= bluepages, o=ibm.com simple_bind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:891 common. ldap.core [-] LDAP unbind unbind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:899 identity. core [-] ID Mapping - Domain ID: 9311e7259dc145a 4a5acbe829f77cf 1b, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_ id_and_ mapping /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 321 identity. core [-] Local ID: R87162821 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 339 identity. core [-] Found existing mapping to public ID: 8136eec10a5c7f6 d61f130e875687f 50368c5d8bdfd53 454a9647e69b513 2991 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 352 common. ldap.core [-] LDAP init: url=ldap: //bluepages. ibm.com _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:571 common. ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:575 common. ldap.core [-] LDAP search: base=c= ru,ou=bluepages ,o=ibm. com scope=1 filterstr= (&(uid= R87162821) (objectClass= ibmPerson) ) attrs=['', 'uid', 'mail'] attrsonly=0 search_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:926 common. ldap.core [-] LDAP unbind unbind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:899 identity. core [-] ID Mapping - Domain ID: 9311e7259dc145a 4a5acbe829f77cf 1b, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_ id_and_ mapping /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 321 identity. core [-] Local ID: R87162821 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 339 identity. core [-] Found existing mapping to public ID: 8136eec10a5c7f6 d61f130e875687f 50368c5d8bdfd53 454a9647e69b513 2991 _set_domain_ id_and_ mapping_ for_single_ ref /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 352 common. ldap.core [-] LDAP init: url=ldap: //bluepages. ibm.com _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:571 common. ldap.core [-] LDAP init: use_tls=False tls_cacertfile=None tls_cacertdir=None tls_req_cert=2 tls_avail=1 _common_ ldap_initializa tion /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:575 common. ldap.core [-] LDAP search: base=c= ru,ou=bluepages ,o=ibm. com scope=1 filterstr= (&(uid= R87162821) (objectClass= ibmPerson) ) attrs=['', 'uid', 'mail'] attrsonly=0 search_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:926 common. ldap.core [-] LDAP unbind unbind_s /usr/lib/ python2. 7/site- packages/ keystone/ common/ ldap/core. py:899 identity. core [-] ID Mapping - Domain ID: 9311e7259dc145a 4a5acbe829f77cf 1b, Default Driver: False, Domains: False, UUIDs: False, Compatible IDs: True _set_domain_ id_and_ mapping /usr/lib/ python2. 7/site- packages/ keystone/ identity/ core.py: 321
2014-12-23 21:26:48.783 24458 DEBUG keystone.
2014-12-23 21:26:48.850 24458 DEBUG keystone.
2014-12-23 21:26:49.234 24458 DEBUG keystone.
2014-12-23 21:26:49.234 24458 DEBUG keystone.
2014-12-23 21:26:49.235 24458 DEBUG keystone.
2014-12-23 21:26:49.238 24458 DEBUG keystone.
2014-12-23 21:26:49.247 24458 DEBUG keystone.
2014-12-23 21:26:49.247 24458 DEBUG keystone.
2014-12-23 21:26:49.248 24458 DEBUG keystone.
2014-12-23 21:26:49.614 24458 DEBUG keystone.
2014-12-23 21:26:49.615 24458 DEBUG keystone.
2014-12-23 21:26:49.615 24458 DEBUG keystone.
2014-12-23 21:26:49.616 24458 DEBUG keystone.
2014-12-23 21:26:49.960 24458 DEBUG keystone.
2014-12-23 21:26:49.960 24458 DEBUG keystone.
2014-12-23 21:26:49.960 24458 DEBUG keystone.
2014-12-23 21:26:49.965 24458 DEBUG keystone.
2014-12-23 21:26:50.011 24458 DEBUG keystone.
2014-12-23 21:26:50.011 24458 DEBUG keystone.
2014-12-23 21:26:50.012 24458 DEBUG keystone.
2014-12-23 21:26:50.366 24458 DEBUG keystone.
2014-12-23 21:26:50.366 24458 DEBUG keystone.
2014-12-23 21:26:50.367 24458 DEBUG keystone.
2014-12-23 21:26:50.371 24458 DEBUG keystone.
2014-12-23 21:26:50.375 24458 DEBUG keystone.
2014-12-23 21:26:50.375 24458 DEBUG keystone.
2014-12-23 21:26:50.375 24458 DEBUG keystone.
2014-12-23 21:26:50.722 24458 DEBUG keystone.
2014-12-23 21:26:50.722 24458 DEBUG keystone.
1) Why did it perform 2 search requests before bind? The first one with filterstr=(&(<email address hidden> )(objectClass= ibmPerson) ) is sufficient to get dn to bind against. (&(uid= R87162821) (objectClass= ibmPerson) ) after bind was successfully performed. So instead of doing search&bind, it does search+ search+ bind+search+ search. .. emulation" , LDAP backend performs x2 more search requests, which degrades performance significantly. But seems like it's already addressed in #1299033.
2) I also don't understand two identical search requests with filterstr=
3) If I additionally enable "user_enabled_