Lot of ldap traffic

reported_bug
ldap
9.1.x
help

#1

Hello everybody.
I have an OC 9 with ldap configured and running. My question is: using tcpdump I see a lot of traffic between my OC server and ldap server, each +- 10 seconds, same when no users connected to OC server. This is the 'normal' behavior of OC ? My ldap configuration have the TTL = 600 (default value). May be a wrong ldap configuration ?


LDAP traffic chaos / duplicate authentications
#2

That should not be related to misconfiguration of your LDAP. How many users do you have in your LDAP? Could you print the contents of oc_jobs table in your database?

However, this should not be executed that frequently, but every one hour. It could be connected to the fact that you have many not executed jobs in you oc_jobs tables, which are now trying to be executed. What cron type did you configure? Ajax or system?

However, these are the issues we are facing now with LDAP. There are specific cronjobs which are responsible for keeping up-to-date ownCloud with your LDAP. The idea will be to execute the crontabs only on ownCloud users which at least once logged througth LDAP. However, this is only efficient in case your LDAP supports MemberOf or you dont have many groups in LDAP.

Keep updated with new ownCloud releases, this is now one of the topics in the current development


#3

Hi @mrow4a.
I have 2000 users in ldap and I'm using the default config: AJAX
This is my oc_job table:

MariaDB [(none)]> select * from privatecloudDB.oc_jobs;
+----+---------------------------------------------------+----------+------------+--------------+-------------+
| id | class | argument | last_run | last_checked | reserved_at |
+----+---------------------------------------------------+----------+------------+--------------+-------------+
| 1 | OCA\Activity\BackgroundJob\EmailNotification | null | 1472127613 | 1472128272 | 0 |
| 2 | OCA\Activity\BackgroundJob\ExpireActivities | null | 1472064218 | 1472128284 | 0 |
| 3 | OCA\DAV\CardDAV\SyncJob | null | 1472062917 | 1472127877 | 0 |
| 4 | OCA\Federation\SyncJob | null | 1472063991 | 1472127907 | 0 |
| 5 | OCA\Files\BackgroundJob\ScanFiles | null | 1472127911 | 1472127911 | 0 |
| 6 | OCA\Files\BackgroundJob\DeleteOrphanedItems | null | 1472127914 | 1472127914 | 0 |
| 7 | OCA\Files\BackgroundJob\CleanupFileLocks | null | 1472127919 | 1472127919 | 0 |
| 10 | OCA\Files_Trashbin\BackgroundJob\ExpireTrash | null | 1472127929 | 1472127929 | 0 |
| 11 | OCA\Files_Versions\BackgroundJob\ExpireVersions | null | 1472127936 | 1472127936 | 0 |
| 17 | \OC\Authentication\Token\DefaultTokenCleanupJob | null | 1472127942 | 1472127942 | 0 |
| 18 | OCA\UpdateNotification\Notification\BackgroundJob | null | 1472064160 | 1472127946 | 0 |
| 19 | OCA\User_LDAP\Jobs\UpdateGroups | null | 1472127963 | 1472127962 | 0 |
| 20 | OCA\User_LDAP\Jobs\CleanUp | null | 1472127982 | 1472127982 | 0 |
| 22 | OCA\DAV\CardDAV\Sync\SyncJob | null | 0 | 1472122952 | 1472122952 |
| 23 | OCA\Files_Sharing\DeleteOrphanedSharesJob | null | 1472127504 | 1472128025 | 0 |
| 24 | OCA\Files_Sharing\ExpireSharesJob | null | 1472064852 | 1472128035 | 0 |
+----+---------------------------------------------------+----------+------------+--------------+-------------+

Here's my ldap configuration:
| Configuration | s01 |
+-------------------------------+--------------------------------------------------------------------+
| hasMemberOfFilterSupport | 1 |
| hasPagedResultSupport | |
| homeFolderNamingRule | attr:cn |
| lastJpegPhotoLookup | 0 |
| ldapAgentName | uid=cons,cn=users,cn=accounts,dc=xxx |
| ldapAgentPassword | *** |
| ldapAttributesForGroupSearch | |
| ldapAttributesForUserSearch | |
| ldapBackupHost | |
| ldapBackupPort | |
| ldapBase | cn=accounts,dc=xxx |
| ldapBaseGroups | cn=groups,cn=accounts,dc=xxx |
| ldapBaseUsers | cn=users,cn=accounts,dc=xxx |
| ldapCacheTTL | 600 |
| ldapConfigurationActive | 1 |
| ldapDynamicGroupMemberURL | |
| ldapEmailAttribute | mail |
| ldapExperiencedAdmin | 1 |
| ldapExpertUUIDGroupAttr | |
| ldapExpertUUIDUserAttr | |
| ldapExpertUsernameAttr | cn |
| ldapGroupDisplayName | cn |
| ldapGroupFilter | (&(objectclass=ipausergroup)(!(cn=teachers))) |
| ldapGroupFilterGroups | |
| ldapGroupFilterMode | 0 |
| ldapGroupFilterObjectclass | ipausergroup |
| ldapGroupMemberAssocAttr | member |
| ldapHost | ldap://ipa.xxx |
| ldapIgnoreNamingRules | |
| ldapLoginFilter | (&(memberof=cn=adminusers*)(uid=%uid)(!(nsAccountLock=True))) |
| ldapLoginFilterAttributes | |
| ldapLoginFilterEmail | 0 |
| ldapLoginFilterMode | 0 |
| ldapLoginFilterUsername | 1 |
| ldapNestedGroups | 0 |
| ldapOverrideMainServer | |
| ldapPagingSize | 1000 |
| ldapPort | 389 |
| ldapQuotaAttribute | |
| ldapQuotaDefault | |
| ldapTLS | 0 |
| ldapUserDisplayName | cn |
| ldapUserDisplayName2 | mail |
| ldapUserFilter | (&(memberof=cn=adminusers*)(!(nsAccountLock=True))) |
| ldapUserFilterGroups | |
| ldapUserFilterMode | 0 |
| ldapUserFilterObjectclass | posixaccount |
| ldapUuidGroupAttribute | auto |
| ldapUuidUserAttribute | auto |
| turnOffCertCheck | 0 |
| useMemberOfToDetectMembership | 1 |
+-------------------------------+--------------------------------------------------------------------+

Thank you by your attention.


#4

If you're using LDAP you probably have more users than one or two. The AJAX background job configuration is the worst possible background job for such an environment.


#5

I have changed AJAX -> CRON and created the cronjob at prompt, running each 15 mins. I'm still seeing a lot of traffic between OC9 server and ldap server +- each 20/30 seconds. This OC9 server is for testing proposes, then only user (admin) are connected or sometimes nobody are connected.
Regards,


#6

(Tell me if I should create a seprate post on this, but this appear related ) ... wondering if LDAP code in OwnCloud been altered significantly as also noticing huge numbers of unnecessary LDAP authentications?
I implemented 2-factor authentication succsesfully with Owncloud via an Open-LDAP server linked to a Duo authentication proxy (https://duo.com/docs/ldap) which pings users with an SMS or other 2-factor method when they log in. This has worked fine thus far, but suddenly (after upgrade) every time a user logs into Owncloud via the web it now generates at least THREE Ldap authentications before login; likewise on the Desktop client, it was making a single authentication on initial login/reboot, which worked well; now the client is generating constant authentications, thus making my 2-factor setup unuusable as users are deluged with text messages etc. Is there way to control all this? What has changed?

I've shifted this into separate topic which explains things better.... https://central.owncloud.org/t/ldap-traffic-chaos-duplicate-authentications/2252


#7

Ref: