search

zorn96 / ms_active_directory

A library for integrating with Microsoft Active Directory domains
MIT License
59 stars 17 forks source link

Very slow adding/removing members to large groups #92

Open rlees85 opened 2 months ago

rlees85 commented 2 months ago

I am finding it takes up to a minute and sometimes more to add a user to a large group. Removing some gaurds (optionally) could drastically improve the performance.

zorn96 commented 2 months ago

hi @rlees85 ! have you tried using the skip_validation keyword argument on the functions? I added it for this purpose. the docstring says

   :param skip_validation: If true, assume all distinguished names exist and do not look them up.
                           Defaults to False. This can be used to make this function more performant when
                           the caller knows all the distinguished names being specified are valid, as it
                           performs far fewer queries.
rlees85 commented 2 months ago

Thanks for the reply @zorn96 . I have already been running with skip_validation=true since we do not need to validate in our use case.

The problem is fix=True in this line:

            res = member_modify_fn(member_dn_list, [group_dn], fix=True)

which calls ldap_connection.extend.microsoft.remove_members_from_groups or ldap_connection.extend.microsoft.add_members_to_groups.

The fix flag that is hard coded here basically causes ldap3 to pull back every member of the group, which in our case is tens of thousands.