Blogs

Liferay 5.2 EE and 6 improved the capabilities of LDAP integration in many areas (refer to blogs posts LDAP Enhancements and Keeping user password secure with LDAP integration):

• synchronize user custom attributes between Liferay and LDAP
• support LDAP chains and LDAP pagination
• create a role for each LDAP group
• override LDAP import and export processes via Spring
• secure LDAP users' password

As you know, base DN is used as a base to search users and groups. When the number of users and groups is small, you would not meet any performance issue when searching users and groups. But if the number of users and groups is huge (like 500K users and 50K groups in LDAP), you would meet any performance issue when searching users and groups, since each user may be part of 50 groups.

Use case A (as shown in following screenshot): 500K users and 50K groups. Each user may be part of 50 groups. When logged in as a user from LDAP, it took 20-30 seconds by default. It should take less than 1 second.

The portal does introduce following property to search groups.

ldap.import.group.search.filter.enabled=true

As shown in above code, if set above property to true, the group filter will be applied, but only to groups in the specified base DN. If set to false, the filter will not be applied and all groups that are associated with the imported users will be imported regardless of the base DN.

The above workaround proposed would not be an option. Each user may belong to over 50 groups and it would just clutter the system with useless data if you were to import all groups for every user.

This article will address how to speed up LDAP import process and Liferay authentication.

Solution Overview

In two steps, you should be able to speed up LDAP import process and Liferay authentication.

1) Set up custom group base DN in portal-ext.properties

# Set this to true to enable custom group based DN settings.
# Set this to false to disable custom group based DN settings.
ldap.import.group.base.dn.enabled=true

# set up group base DN when the property ldap.import.group.basedn.enabled is set to true
# You can add group base DN against your LDAP here
ldap.import.group.base.dn.default=ou=groups,ou=system

2) Use custom group base DN in LDAP import process

Results

LDAP import process and Liferay authentication just took less than 1 second.

1) Set up base DN as users base DN like

2) Test LDAP users

3) Test LDAP groups

Is this feature useful? your comments / suggestions?

Summary

As you can see, LDAP import process and Liferay authentication can be improved a lot by using base DN as users base DN for users search, and custom group base DN as groups base DN for groups search. Ideally, we should divide base DN ldap.base.dn into ldap.users.base.dn and ldap.groups.base.dn for users search and group searchs, respectively. Refer to LPS-14322.

Last but not least, I'd like to send special thanks to Eduardo Carneiro and Jenny Chen who did a great job to narrow down the issue and to identify solutions.