Firat Milanlioglu created NIFI-15797:
----------------------------------------
Summary: Optimize AD/LDAP Search in LdapUserGroupProvider
(objectCategory & Returning Attributes)
Key: NIFI-15797
URL: https://issues.apache.org/jira/browse/NIFI-15797
Project: Apache NiFi
Issue Type: Improvement
Reporter: Firat Milanlioglu
Hello Team,
In large-scale Enterprise Active Directory environments, the current
implementation of {{LdapUserGroupProvider}} causes significant performance
bottlenecks (High-Cost Queries) due to two architectural limitations:
*1. Hardcoded "objectClass" enforcing Full-Table Scans in AD:* Currently, the
{{Group Object Class}} property is required, and NiFi always prepends
{{(objectClass=...)}} to the query. In Microsoft AD, {{objectClass}} indexing
is highly inefficient (low selectivity). AD optimizations require using
{{objectCategory}} for indexed searches. _Proposal:_ Make {{Group Object
Class}} optional. If left blank, NiFi should just pass the raw {{Group Search
Filter}} directly, allowing users to strictly use {{(objectCategory=Group)}}
without causing invalid LDAP syntax errors.
*2. Network & Memory Payload Overhead (Fetching ALL Attributes):* Currently,
NiFi executes the LDAP search without specifying returning attributes,
resulting in AD returning {{[all]}} attributes for every group found. For
environments with 10k+ groups, this generates massive payload transfers (e.g.,
4-5 seconds query time) just to extract {{cn}} and {{{}member{}}}. _Proposal:_
Introduce a new property, e.g., {{Group Returning Attributes}}
(comma-separated). Pass this to
{{{}SearchControls.setReturningAttributes(){}}}. Defaulting this to {{cn,
member}} would drastically reduce disk I/O, network payload, and memory
footprint during the sync interval.
Implementing these two simple changes would make NiFi's LDAP provider truly
enterprise-grade for large Microsoft Active Directory deployments.
Thanks.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
