Performance Issues with Large LDAP Repository - 100,000 users or more
Symptoms
Permission checking and logins can take minutes with huge LDAP repositories.
Cause
In case a user and its group memberships have not been cached the query runs through all levels of the AD hierarchy searching for groups that this user belongs to, retrieving all possible group memberships that match the query and returning the results for confluence. This expensive query is responsible for the massive amount of data returned to confluence as all matching groups with all members in each group are returned. This is the way the ldap group adaptor is implemented - each group object is returned as a list of members.
Resolution
This is a signficant error that requires careful consideration.
Here are Atlassian's suggested options:
- Use Atlassian Crowd as your Single Sign On interface to Active Directory.
- Restructure Active Directory for Confluence users and group them in new groups so that queries do not return these very large groups objects. You can then use a more specific base for the group search. Configure a more specific node in your baseUserNameSpace setting and set userSearchAllDepths to false. Alternatively, set a user search filter. See How to write LDAP search filters.
- Revert back and manage groups within Confluence - ie modify atlassian user to ignore groups. See Add LDAP Integration For User Authentication Only.