For the record:
http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
reports in note 19 that specifying the object class can be dramatically
faster, so e.g.
(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:={0}))
as the group membership filter should be faster than
(member:1.2.840.113556.1.4.1941:={0})
if using the `Search for groups containing user` strategy
On 10 June 2014 11:51, teilo <teilo+goo...@teilo.net> wrote:
>
>
> On Thursday, 22 May 2014 16:12:52 UTC+1, Stephen Connolly wrote:
>>
>> OK, so there is now rumoured to be a faster and better way to look up the
>> groups that a user belongs to in the LDAP 1.10 plugin.
>>
>> I say rumoured because due to the complexities of Active Directory server
>> configurations, one can never be quite sure until one has had a fair amount
>> of testing.
>>
>> To that end, please could you set up a simple test Jenkins instance and
>> upgrade to ldap:1.10 and configure the `Parse user attribute for list of
>> groups` group membership strategy (again rumour has it that on Active
>> Directory the attribute `memberOf` is the magic attribute.
>>
>> See if that ends up giving you the same JENKINS_URL/whoAmI list of groups
>> as when you have the `Search for groups containing user` set with the
>> filter being `(member:1.2.840.113556.1.4.1941:={0})`... though the `Parse
>> user attribute for list of groups` should be very very fast for login while
>> the `Search for groups containing user` could take *ages*.
>>
>
> it gives the same results as 1.8 - when used without the
> LDAP_MATCHING_RULE_IN_CHAIN extension. (ie 'search groups containing user'
> = "(member={0})" )
>
> using the above OID on large installations is not possible as single
> queries take over 90 seconds and are culled by the AD server.
>
> it is faster than 1.8 for the same results - but it sounds like you where
> expecting recursive groups to be supported?
>
>
>
>> Respond back here with your findings so that I can remove the Red text on
>> the version history about this being a rumour
>>
>
> /James
>
> --
> You received this message because you are subscribed to the Google Groups
> "Jenkins Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to jenkinsci-users+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
