Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions changelog/unreleased/enhancement-ldap-connection-pool.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Enhancement: Add an opt-in LDAP connection pool

Added `GetLDAPClientWithPool`, a bounded pool of authenticated LDAP
connections, as a drop-in alternative to the existing single, long-lived
reconnecting connection. It is disabled by default and can be enabled per
backend via `pool_enabled` (plus `pool_size` and `pool_checkout_timeout`) on
the auth, user and group LDAP managers, so concurrent requests no longer
serialize on a single socket.

https://github.com/owncloud/reva/pull/658
6 changes: 5 additions & 1 deletion pkg/auth/manager/ldap/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,11 @@ func New(m map[string]interface{}) (auth.Manager, error) {
if err != nil {
return nil, err
}
manager.ldapClient, err = utils.GetLDAPClientWithReconnect(&manager.c.LDAPConn)
if manager.c.LDAPConn.PoolEnabled {
manager.ldapClient, err = utils.GetLDAPClientWithPool(&manager.c.LDAPConn)
} else {
manager.ldapClient, err = utils.GetLDAPClientWithReconnect(&manager.c.LDAPConn)
}
Comment on lines +81 to +85

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems better a utils.GetLDAPClientFromConfig(manager.c.LDAPConn) that returns the appropriate client.

func GetLDAPClientFromConfig(cfg Config) (*ldap.Client, error) {
  if cfg.PoolEnabled {
    return GetLDAPClientWithPool(cfg)
  } else {
    return GetLDAPClientWithReconnect(cfg)
  }
}

then you can call that method from here

manager.ldapClient, err = utils.GetLDAPClientFromConfig(&manager.c.LDAPConn)

if err != nil {
return nil, err
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/group/manager/ldap/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,11 @@ func New(m map[string]interface{}) (group.Manager, error) {
return nil, err
}

mgr.ldapClient, err = utils.GetLDAPClientWithReconnect(&mgr.c.LDAPConn)
if mgr.c.LDAPConn.PoolEnabled {
mgr.ldapClient, err = utils.GetLDAPClientWithPool(&mgr.c.LDAPConn)
} else {
mgr.ldapClient, err = utils.GetLDAPClientWithReconnect(&mgr.c.LDAPConn)
}
if err != nil {
return nil, err
}
Expand Down
6 changes: 5 additions & 1 deletion pkg/user/manager/ldap/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,11 @@ func New(m map[string]interface{}) (user.Manager, error) {
return nil, err
}

mgr.ldapClient, err = utils.GetLDAPClientWithReconnect(&mgr.c.LDAPConn)
if mgr.c.LDAPConn.PoolEnabled {
mgr.ldapClient, err = utils.GetLDAPClientWithPool(&mgr.c.LDAPConn)
} else {
mgr.ldapClient, err = utils.GetLDAPClientWithReconnect(&mgr.c.LDAPConn)
}
return mgr, err
}

Expand Down
7 changes: 7 additions & 0 deletions pkg/user/manager/ldap/ldap_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -65,4 +65,11 @@ func TestUserManager(t *testing.T) {
if err != nil {
t.Fatal(err.Error())
}

// New must not dial anything eagerly, so pool_enabled must also succeed without a
// reachable LDAP server.
_, err = New(map[string]interface{}{"pool_enabled": true})
if err != nil {
t.Fatal(err.Error())
}
}
92 changes: 59 additions & 33 deletions pkg/utils/ldap.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (
"crypto/tls"
"crypto/x509"
"os"
"time"

"github.com/owncloud/reva/v2/pkg/logger"
ldapReconnect "github.com/owncloud/reva/v2/pkg/utils/ldap"
Expand All @@ -37,30 +38,47 @@ type LDAPConn struct {
CACert string `mapstructure:"cacert"`
BindDN string `mapstructure:"bind_username"`
BindPassword string `mapstructure:"bind_password"`

// PoolEnabled switches GetLDAPClientWithPool callers to a bounded connection pool instead of
// the single long-lived reconnecting connection. Off by default.
PoolEnabled bool `mapstructure:"pool_enabled"`
// PoolSize caps the number of concurrently open pooled connections. Defaults to 5 when unset.
PoolSize int `mapstructure:"pool_size"`
// PoolCheckoutTimeout bounds how long a checkout waits for a connection to become available
// once the pool is at PoolSize. Defaults to 30s when unset.
PoolCheckoutTimeout time.Duration `mapstructure:"pool_checkout_timeout"`
}

// GetLDAPClientWithReconnect initializes a long-lived LDAP connection that
// automatically reconnects on connection errors. It allows to set TLS options
// e.g. to add trusted Certificates or disable Certificate verification
func GetLDAPClientWithReconnect(c *LDAPConn) (ldap.Client, error) {
var tlsConf *tls.Config
// tlsConfigFromLDAPConn builds the *tls.Config shared by all GetLDAPClient* constructors below.
func tlsConfigFromLDAPConn(c *LDAPConn) (*tls.Config, error) {
if c.Insecure {
logger.New().Warn().Msg("SSL Certificate verification is disabled. This is strongly discouraged for production environments.")
tlsConf = &tls.Config{
return &tls.Config{
//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
InsecureSkipVerify: true,
}
}, nil
}
if !c.Insecure && c.CACert != "" {
if pemBytes, err := os.ReadFile(c.CACert); err == nil {
rpool, _ := x509.SystemCertPool()
rpool.AppendCertsFromPEM(pemBytes)
tlsConf = &tls.Config{
RootCAs: rpool,
}
} else {
if c.CACert != "" {
pemBytes, err := os.ReadFile(c.CACert)
if err != nil {
return nil, errors.Wrapf(err, "Error reading LDAP CA Cert '%s.'", c.CACert)
}
rpool, _ := x509.SystemCertPool()
rpool.AppendCertsFromPEM(pemBytes)
return &tls.Config{
RootCAs: rpool,
}, nil
}
return nil, nil
}

// GetLDAPClientWithReconnect initializes a long-lived LDAP connection that
// automatically reconnects on connection errors. It allows to set TLS options
// e.g. to add trusted Certificates or disable Certificate verification
func GetLDAPClientWithReconnect(c *LDAPConn) (ldap.Client, error) {
tlsConf, err := tlsConfigFromLDAPConn(c)
if err != nil {
return nil, err
}

conn := ldapReconnect.NewLDAPWithReconnect(
Expand All @@ -74,28 +92,36 @@ func GetLDAPClientWithReconnect(c *LDAPConn) (ldap.Client, error) {
return conn, nil
}

// GetLDAPClientWithPool initializes a bounded pool of authenticated LDAP connections, dialed and
// bound lazily on first use. It is a drop-in alternative to GetLDAPClientWithReconnect intended for
// backends that need to serve concurrent requests without serializing on a single connection.
func GetLDAPClientWithPool(c *LDAPConn) (ldap.Client, error) {
tlsConf, err := tlsConfigFromLDAPConn(c)
if err != nil {
return nil, err
}

pool := ldapReconnect.NewLDAPPool(
ldapReconnect.Config{
URI: c.URI,
BindDN: c.BindDN,
BindPassword: c.BindPassword,
TLSConfig: tlsConf,
PoolSize: c.PoolSize,
PoolCheckoutTimeout: c.PoolCheckoutTimeout,
},
)
pool.SetLogger(logger.New())
return pool, nil
}

// GetLDAPClientForAuth initializes an LDAP connection. The connection is not authenticated
// when returned. The main purpose for GetLDAPClientForAuth is to get and LDAP connection that
// can be used to issue a single bind request to authenticate a user.
func GetLDAPClientForAuth(c *LDAPConn) (ldap.Client, error) {
var tlsConf *tls.Config
if c.Insecure {
logger.New().Warn().Msg("SSL Certificate verification is disabled. Is is strongly discouraged for production environments.")
tlsConf = &tls.Config{
//nolint:gosec // We need the ability to run with "insecure" (dev/testing)
InsecureSkipVerify: true,
}
}
if !c.Insecure && c.CACert != "" {
if pemBytes, err := os.ReadFile(c.CACert); err == nil {
rpool, _ := x509.SystemCertPool()
rpool.AppendCertsFromPEM(pemBytes)
tlsConf = &tls.Config{
RootCAs: rpool,
}
} else {
return nil, errors.Wrapf(err, "Error reading LDAP CA Cert '%s.'", c.CACert)
}
tlsConf, err := tlsConfigFromLDAPConn(c)
if err != nil {
return nil, err
}
l, err := ldap.DialURL(c.URI, ldap.DialWithTLSConfig(tlsConf))
if err != nil {
Expand Down
Loading