perf(authentication): improve active directory default users filter (#2181)

This adds a performance change to the default Active Directory users filter. Basically as per TechNet the (sAMAccountType=805306368) filter is the same as (&(objectCategory=person)(objectClass=user)) except the performance is better.
This commit is contained in:
James Elliott 2021-07-14 20:30:25 +10:00 committed by GitHub
parent 9d7cfb8455
commit c794d57afc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 6 additions and 8 deletions

View File

@ -206,9 +206,13 @@ makes sure that value is not 0 which means the password requires changing at the
|Implementation |Users Filter |Groups Filter| |Implementation |Users Filter |Groups Filter|
|:-------------:|:------------:|:-----------:| |:-------------:|:------------:|:-----------:|
|custom |n/a |n/a | |custom |n/a |n/a |
|activedirectory|(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))|(&(member={dn})(objectClass=group)(objectCategory=group))| |activedirectory|(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0)))|(&(member={dn})(objectClass=group)(objectCategory=group))|
_**Note:**_ The Active Directory filter `(sAMAccountType=805306368)` is exactly the same as
`(&(objectCategory=person)(objectClass=user))` except that the former is more performant, you can read more about this
and other Active Directory filters on the [TechNet wiki](https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx).
## Refresh Interval ## Refresh Interval
This setting takes a [duration notation](../index.md#duration-notation-format) that sets the max frequency This setting takes a [duration notation](../index.md#duration-notation-format) that sets the max frequency

View File

@ -84,7 +84,7 @@ var DefaultLDAPAuthenticationBackendConfiguration = LDAPAuthenticationBackendCon
// DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration represents the default LDAP config for the MSAD Implementation. // DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration represents the default LDAP config for the MSAD Implementation.
var DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration = LDAPAuthenticationBackendConfiguration{ var DefaultLDAPAuthenticationBackendImplementationActiveDirectoryConfiguration = LDAPAuthenticationBackendConfiguration{
UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(!pwdLastSet=0))", UsersFilter: "(&(|({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0)))",
UsernameAttribute: "sAMAccountName", UsernameAttribute: "sAMAccountName",
MailAttribute: "mail", MailAttribute: "mail",
DisplayNameAttribute: "displayName", DisplayNameAttribute: "displayName",

View File

@ -24,14 +24,8 @@ authentication_backend:
skip_verify: true skip_verify: true
start_tls: true start_tls: true
base_dn: DC=example,DC=com base_dn: DC=example,DC=com
username_attribute: sAMAccountName
additional_users_dn: OU=Users additional_users_dn: OU=Users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=user))
additional_groups_dn: OU=Groups additional_groups_dn: OU=Groups
groups_filter: (&(member={dn})(objectClass=group))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: CN=Administrator,CN=Users,DC=example,DC=com user: CN=Administrator,CN=Users,DC=example,DC=com
password: password password: password