Caching nested groups (member:1.2.840.113556.1.4.1941) - openldap-technical

1 Jul 2016


      We have an Active Directory domain with >6000 users and several hundred
groups. The group hierarchy is usually nested 4-5 levels deep.  Queries for
the full set of nested groups for a user take > 10 seconds each.  We have
an app (Nexus OSS) that asks for a user's nested groups on every
interaction (e.g. for each dependency needed to perform a maven build) and
does not perform local caching.
I am trying to implement a slapd + meta + pcache solution that will proxy
the LDAP query, cache the results, and significantly speed up user
interactions with this app.  I have tried many configurations.  I can
always proxy the request, but I haven't yet been able to fully cache the
results.  I have had the most success with the passthru module from
https://github.com/cbueche/openldap-passthru and rwm.  In this
configuration, slapd proxies inbound filters like "(member=CN=my
name,ou=users,dc=some,dc=structure)" and passes that on to AD as
"member:1.2.840.113556.1.4.1941:=CN=my
name,ou=userss,dc=some,dc=structure)".  AD returns the group DNs but slapd
partially caches the result.  The cached results are the direct group
memberships, not the complete set of nested groups.
Is what I want to do possible?  If so, can someone please point me in the
right direction?
Here is my slapd.conf file:
-----------------------------
### Logging
###################################################################
loglevel                -1
logfile /var/log/openldap.log
### Schema includes
###########################################################
include /etc/openldap/schema/microsoftattributetype.schema
include /etc/openldap/schema/microsoftattributetypestd.schema
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
include /etc/openldap/schema/microsoftobjectclass.schema
## Module paths
##############################################################
modulepath              /usr/local/libexec/openldap
moduleload              back_meta
moduleload              back_ldap
moduleload              back_bdb
moduleload              mr_passthru
moduleload              pcache
moduleload              rwm
# Main settings
###############################################################
pidfile                 /var/run/openldap/slapd.pid
argsfile                /var/run/openldap/slapd.args
### Database definition (Proxy to AD)
#########################################
database                meta
chase-referrals yes
suffix                  "dc=some,dc=structure"
uri                     "ldap://a.b.c.d:3268/dc=some,dc=structure"
readonly                yes
protocol-version        3
rebind-as-user yes
rootdn "CN=zNexus,OU=Service Accounts,OU=myorg,DC=some,DC=structure"
rootpw "--obfuscated--"
idassert-bind binddn="CN=zNexus,OU=Service
Accounts,OU=myorg,DC=some,DC=structure"
                  credentials="--obfuscated--"
bindmethod=simple
mode=none
idassert-authzFrom "*"
rewriteEngine on
#rewrite searches
rewriteContext searchFilter
rewriteRule "member=(.*)" "(member:1.2.840.113556.1.4.1941:=%1" ":"
rewriteRule "memberOf=(.*)" "(memberOf:1.2.840.113556.1.4.1941:=%1" ":"
overlay pcache
pcache bdb 100000 2 10000 600
directory /var/tmp/openldap-cache
cachesize 20000
pcacheMaxQueries 10000
index objectClass                       eq,pres
index userAccountControl eq
index member eq
index memberOf eq
index ou,cn,mail,surname,givenname      eq,pres,sub
index objectCategory,sAMAccountName     eq,pres,sub
pcacheAttrset 0 cn
pcacheTemplate (&(objectClass=)(&(cn=)(member=))) 0 600 60
pcacheTemplate (member=) 0 600 60
pcacheTemplate (memberOf=) 0 600 60
pcacheTemplate (&(cn=*)(member=)) 0 600 60
pcacheTemplate
(&(objectClass=)(sAMAccountName=)(&(objectCategory=)(userAccountControl=)))
0 600 60
pcacheAttrset 1 sAMAccountName cn mail labeledUri memberOf member
objectClass
pcacheTemplate
(&(objectClass=)(sAMAccountName=)(&(objectCategory=)(userAccountControl=)))
1 600 60
pcacheTemplate
(&(objectClass=)(sAMAccountName=*)(&(objectCategory=)(userAccountControl=)))
1 600 60
-----------------------------
Here is what the client sees the first and second time the query is run for
a user that is directly in one group but in many groups via nesting.  (The
group DNs have been obfuscated but in reality they are all unique.)  On the
first run, ldapsearch correctly returns 158 total (nested and direct)
groups.  On the second run, ldapsearch only returns the one direct group.
### RUN 1 ###
ldap_initialize( ldap://127.0.0.1 )
filter: (member=cn=Some User,ou=Users,ou=External,dc=some,dc=structure)
requesting: cn
dn: cn=TT-RndGroup-Read,ou=...,ou=External,dc=some,dc=structure
cn: TT-RndGroup-Read
dn: cn=IO-RndGroup-Read,ou=...,ou=External,dc=some,dc=structure
cn: IO-RndGroup-Read
dn: cn=Vi-RndGroup-Read,ou=...,ou=External,dc=some,dc=structure
cn: Vi-RndGroup-Read
dn: cn=SE-RndGroup-Read,ou=...,ou=External,dc=some,dc=structure
cn: SE-RndGroup-Read
<snip 154 more CNs....>
real 0m14.167s
user 0m0.003s
sys 0m0.025s
### RUN 2 ###
ldap_initialize( ldap://127.0.0.1 )
filter: (member=cn=Some User,ou=Users,ou=External,dc=some,dc=structure)
requesting: cn
dn: cn=Vi-RndGroup-Read,ou=...,ou=External,dc=some,dc=structure
cn: Vi-RndGroup-Read
real 0m4.310s
user 0m0.000s
sys 0m0.004s
-----------------------------
Thanks,
Ryan