+
Skip to content

Listing federated LDAP users is very slow with import enabled #34050

New issue
New issue
Closed
#34406
Closed
Listing federated LDAP users is very slow with import enabled#34050
#34406
Assignees
sguilhen
Labels
area/ldapkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.0.4release/26.1.0team/core-iam
@sguilhen

Description

@sguilhen
sguilhen
opened on Oct 17, 2024

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

ldap

Describe the bug

When users are imported from LDAP, subsequent requests to fetch the users (for example when going to the Users page in the Admin Console) take a much longer time to return.

If import is disabled and users are fetched all the time from LDAP, the response time to fetch users in the Users screen is barely affected and the screen loads almost instantly. However, once we enable the switch to import users, the first request fetches users (and import them!) very fast, but once they are stored in the local DB all subsequent requests take a much longer time to complete - around 12 seconds in my setup when fetching only the first 10 users, which are now all stored in the local DB.

This has probably something to do with the validate method that runs as part of the search and is responsible for creating the proxied user with all the mappers. Each user has to be searched on LDAP to check for its existence and fetch updated data, so when fetching 10 federated users from the local DB we have 10 corresponding LDAP queries. Debugging the validate method, it looks like this search can be performed multiple times during a single request, which must be impacting the performance of bulding the proxy objects significantly.

We need to investigate/profile the server in order to understand why the performance with the imported users is so much worse than when fetching users all the time from LDAP (i.e. import disabled).

Version

26.0.0

Regression

  • The issue is a regression

Expected behavior

The performance to fetch 10 federated users that were imported into the Keycloak DB should not (much) worse than fetching these users directly from LDAP all the time.

Actual behavior

Performance to fetch users drop significantly once they are imported into the Keycloak DB.

How to Reproduce?

  • Setup a LDAP federation with at least 1000 users.
  • Import the users from LDAP
  • Go to the Admin Console, click on the Users link
  • Check the time it takes to fetch the federated users from the local DB

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/ldapkind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonrelease/26.0.4release/26.1.0team/core-iam

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载