Allow multiple search base to support geographical model

devpi / devpi-ldap

Plugin for devpi-server which provides LDAP authentication.

36 stars 20 forks source link

Allow multiple search base to support geographical model #53

Open hendralinux opened 1 year ago

hendralinux commented 1 year ago

If the users are organized in this way:

- CN={username}, OU=users, OU=Asia, DC=example,DC=com
- CN={username}, OU=users, OU=Americas, DC=example,DC=com
- CN={username}, OU=users, OU=Europe, DC=example,DC=com

then for the search to work, the base has to be set as DC=example,DC=com and this slow things down as the size of the organization grows. Is there a way to add more than 1 base for the search?

fschulze commented 1 year ago

If I understand that correctly, then three searches would have to be made. With a trivial implementation that would mean trying them one by one until a match is found or all options have been tried. The more complex way would be to do the search in parallel, which would either need threads or using async. I haven't checked whether the used library allows async, or may even have a way to do the parallel search itself.

hendralinux commented 1 year ago

Thanks for responding :) Yes, all three searches need to be made, either sequentially or in parallel, at least in my case, that's still faster than doing a full search of everything down from the top. I didn't actually test it with devpi-ldap, but apache allows multiple LDAP stanza with different search base which can be combined when used for authentication, and that's faster than defining a single search base from the top that has to traverse all the objects.