develooper Front page | perl.ldap | Postings from December 2015

slow AD ldap query or bad filter/algorithm?

Thread Next
From:
Natxo Asenjo
Date:
December 11, 2015 11:12
Subject:
slow AD ldap query or bad filter/algorithm?
Message ID:
CAHBEJzVhLJeLUvEJNon=YvrNAkLYwJXifF9BR18qEn20tyPv6Q@mail.gmail.com
hi,

I need to get mail enabled groups info from Active Directory.

AD mail enabled groups (be it distribution or security groups) keeps the
member attributes as distinguishednames

Example:

CN=mailgroup,OU=Groep,DC=domain,DC=tld
objectClass: top
objectClass: group
cn: mailgroup
member: CN=user a,OU=staff,dc=domain,dc=tld
member: CN=user b,OU=staff,dc=domain,dc=tld
member: CN=user c,OU=staff,dc=domain,dc=tld
member: CN=user d,OU=staff,dc=domain,dc=tld

etc

So in order to get the mail addresses of those users, I need to launch
another query.

So I first query the mail enabled groups, fast query:

my $mail_enabled_grps_AD = "(&(objectCategory=group)(mail=*))";

# first find enabled accounts to fill @ad_enabled
while (1) {
    my $search_ad = $ad_ldap->search(
        base   => "dc=domain,dc=tld",
        scope  => "sub",
        filter => $mail_enabled_grps_AD,
        attr =>
          [ 'cn', 'member', 'mail', 'proxyaddresess', 'distinguishedname',
],
        control => [$page_ad],
    );

    $search_ad->code && die "error on search ad: $@: " . $search_ad->error;
    while ( my $entry = $search_ad->pop_entry() ) {
        my $displayname = $entry->get_value('cn');
        my $dn          = $entry->get_value('distinguishedname');
        my $mail        = $entry->get_value('mail');
        my @members     = $entry->get_value('member');
        my @email_addrs = $entry->get_value('proxyaddresses');

        # fill @ad_enabled
        push @ad_mail_enbld_groups, lc $mail;

        my @ad_mails = _from_dn_to_mail(@members);

        # generate hash for hoh_AD
        my $rec = {
            MAIL          => $mail,
            MEMBERS       => [@members],
            MEMBERS_ADDRS => [@ad_mails],
            PROXYADDRS    => [@email_addrs],
        };

        # assing $rec to %hoh_AD
        $hoh_AD{$mail} = $rec;

    }

    my ($resp) = $search_ad->control(LDAP_CONTROL_PAGED) or last;
    $cookie_ad = $resp->cookie or last;
    $page_ad->cookie($cookie_ad);
}

If I do not use   my @ad_mails = _from_dn_to_mail(@members); then this
snippet runs under 2 seconds.

If I use it, it takes 2m30secs.

This is the code in the sub(s):

sub _get_ad_user_mail {
    my ($ad_user) = @_;
    my $search_ad = $ad_ldap->search(
        base  => "dc=domain,dc=tld",
        scope => "sub",
        filter =>
"(&(objectclass=user)(objectcategory=person)(distinguishedname=$ad_user))",
        attr => ['mail'],
    );

    $search_ad->code && die "error on search ad: $@: " . $search_ad->error;
    for my $entry ( $search_ad->entries ) {
        my $ad_user_mail = $entry->get_value('mail');
        return $ad_user_mail;
    }
}

sub _from_dn_to_mail {
    my (@members) = @_;
    my @ad_mail;
    for my $member (@members) {
        push @ad_mail, _get_ad_user_mail($member);
    }
    return @ad_mail;

}


I mean, it works, but is it normal that it's so slow or am I missing
something very obvious?

Thanks for you input.
-- 
--
Groeten,
natxo

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About