Question

I have configured the LdapContrib to hook into my Active Directory. I have read some threads that recommend loading a CGI accelerator, such as mod_perl of FastCGI, but I haven't done so yet. After reviewing my logs, I can see that searches are being performed for each page that is requested. Is this normal behavior?

If the LdapContrib is written to search on each page request, why isn't it looking to the cache after the initial scan of the directory?

Ldap Contrib Configuration

$TWiki::cfg{Ldap}{Host} = 'MyDomainController';
$TWiki::cfg{Ldap}{Port} = 389;
$TWiki::cfg{Ldap}{Version} = '3';
$TWiki::cfg{Ldap}{Base} = 'dc=ds,dc=company,dc=com';
$TWiki::cfg{Ldap}{BasePasswd} = 'ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com';
$TWiki::cfg{Ldap}{BaseGroup} = 'ou=Etwiki,ou=groups,ou=corp,dc=ds,dc=company,dc=com';
$TWiki::cfg{Ldap}{LoginAttribute} = 'sAMAccountName';
$TWiki::cfg{Ldap}{WikiNameAttribute} = 'givenName, sn';
$TWiki::cfg{Ldap}{NormalizeWikiNames} = 1;
$TWiki::cfg{Ldap}{LoginFilter} = 'objectClass=user';
$TWiki::cfg{Ldap}{GroupAttribute} = 'cn';
$TWiki::cfg{Ldap}{GroupFilter} = 'objectClass=group';
$TWiki::cfg{Ldap}{TWikiGroupsBackoff} = 1;
$TWiki::cfg{Ldap}{MemberAttribute} = 'member';
$TWiki::cfg{Ldap}{MemberIndirection} = 1;
$TWiki::cfg{Ldap}{BindDN} = 'cn=BindAccount,dc=ds,dc=company,dc=com';
$TWiki::cfg{Ldap}{BindPassword} = _password_;
$TWiki::cfg{Ldap}{MapGroups} = 1;
$TWiki::cfg{Ldap}{SSL} = 0;
$TWiki::cfg{Ldap}{MaxCacheHits} = -1;
$TWiki::cfg{Ldap}{Exclude} = 'TWikiGuest, TWikiContributor, TWikiRegistrationAgent, TWikiAdminGroup, NobodyGroup';
$TWiki::cfg{Ldap}{PageSize} = 200;

Ldap Contrib Debug Output

[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - called LdapContrib constructor
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com scope=sub, limit=0, attrs=sAMAccountName,givenName,sn)
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - called connect
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - proxy bind
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - done search
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountName,givenName,sn)
[Tue May 01 12:51:30 2007] [error] [client 1.192.168.X] LdapContrib - done search
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountName,givenName,sn)
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - done search
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - called isGroup(TWikiAdmin)
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - called getGroupNames()
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=group, base=ou=Etwiki,ou=groups,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=cn)
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - done search
[Tue May 01 12:51:31 2007] [error] [client 1.192.168.X] LdapContrib - called disconnect()
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called LdapContrib constructor, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountName,givenName,sn), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called connect, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - proxy bind, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - done search, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountName,givenName,sn), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - done search, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=user, base=ou=users,ou=specificgroup,ou=loc,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=sAMAccountName,givenName,sn), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - done search, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called isGroup(TWikiAdmin), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called getGroupNames(), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called search(filter=objectClass=group, base=ou=Etwiki,ou=groups,ou=corp,dc=ds,dc=company,dc=com, scope=sub, limit=0, attrs=cn), referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - done search, referer: http://hostname/twiki/bin/view/Main/WebHome
[Tue May 01 12:52:35 2007] [error] [client 1.192.168.X] LdapContrib - called disconnect(), referer: http://hostname/twiki/bin/view/Main/WebHome

Environment

-- JosephMecca - 01 May 2007

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

If you use speedy-cgi (or mod_perl), then LdapContrib will cache search results. If you don't use any perl accelerator, then LdapContrib will not cache search results.

-- MichaelDaum - 01 May 2007

Thanks Michael, I will look into configuring one of those.

On another note, I have a nested group in my directory. When the group comes over, I see the users designated to the group, but not the group name of the nested group. I know that TWiki supports nested groups, is this even supported with the LdapContrib?

Here is the nested group entry in my directory:

CN=NestedGroup,CN=Users,DC=ds,DC=company,DC=com

-- JosephMecca - 01 May 2007

Hmmmm... I don't understand MichaelDaum's comment-- I currently do NOT use an accelerator, but LdapContrib tries to cache the entire LDAP directory with any (e.g., login or logout) access. In the code, the only thing I can see is that the variable indicating the cache has been filled would remain set if an accelerator were used.

We have a large LDAP environment and I'm having major issues with the caching behavior of LdapContrib.

-- CrisRhea - 26 Jun 2007

Please try the latest LdapContrib.

-- MichaelDaum - 11 Oct 2007