Why is connecting to our LDAP server taking so long?

Issue

We experience ‘too long time to connect’ to CloudBees Core via our corporate LDAP. Is there a way to to speed this up?

Is there a way to use a group filter to speed this up?

Environment

Resolution

Most of the times the slowness is produced by the LDAP plugin not being customized enough. Especially, the following 4 fields must be configured as accurate as possible in order to reduce the time spend in retrieving user/groups information and thus making the scope of the query lighter.

  • User search base
  • User search filter
  • Group search base
  • Group search filter

Notice that the cache will also reduce the number of times you are reaching out to the LDAP server under consecutive logins.

  • NOTE: In the LDAP plugin configuration under Manage Jenkins -> Configure Global Security you have a help button for each option giving you advice about how to configure it.

Special use case: membership filter

The default filter applied when membership filter field is empty is (| (member={0}) (uniqueMember={0}) (memberUid={1})). Such a filter is a default that catches most LDAP schemas. However, it is at least three times slower that whatever is the correct filter for your LDAP schema. The correct filter for your schema should be one of (member={0}) or (uniqueMember={0}) or (memberUid={1}). Changing to the correct filter will have a threefold increase in performance.

This can be done in the LDAP plugin configuration under Group membership -> Search for LDAP groups containing user -> Group membership filter

However, this improvement is not valid for all the uses cases, notice that this is valid only for some LDAP configuration.

The Group Search Filter and Group Membership Filter are outlined in detail in the wiki page of the plugin

Special use case: Active Directory

In case you are using the LDAP plugin to be authenticated against an Active Directory server then it is recommended that instead of using the LDAP catalog (389/686) you use the global catalog (3268/3269). This should improve the login performance as we ensure we only reach out one server.

To better understand how the LDAP plugin should be configured to work against an Active Directory server, you should follow the section called Tips and Tricks from the LDAP plugin wiki page.

Have more questions?

2 Comments

  • 0
    Avatar
    Liao Yuan

    it's OK Now

  • 0
    Avatar
    Liao Yuan

    Thank you for your help!

Please sign in to leave a comment.