Whitespace wildcards in AD group search #1790
Comments
|
I agree with this, we shouldn't assume wildcard filtering on behalf of the WebAPI configuration manager. We should just document the use of wildcards if needed. |
|
Well, the current design uses wildcard search and multi-select so that you can assign multiple AD groups to a role. But this presents challenges even beyond the performance hit of doing the full wildcard search; suppose your AD groups have different naming conventions, you couldn't multi-select them. I think the cleanest approach is to have a string field that is comma separated. WebAPI can then perform a check on each group to see if they exist. Then move to the import steps. |
|
@konstjar I spoke with @gklebanov to ask if the fix for this bug can be incorporated into the next release of Atlas/WebAPI and he suggested tagging you. This bug is still negatively impacting organizations with large LDAP registries who want to use Atlas LDAP authentication and import users from LDAP into Atlas. @alondhe suggested a code fix at the top of this issue: "I worked around this by making a modified version of the WhitespaceWildcardsFilter class that just adds the wildcard at the end. I do think perhaps this field shouldn't add wildcards, rather, let the user (which is most likely an admin) explicitly state the search string (with or without wildcards)." |
|
@alex-odysseus Please assign someone from team to work on this |
|
thanks @konstjar |
chrisknoll
moved this from Under Review
to Review Complete
in Atlas/WebAPI Issue Triage
Expected behavior
When searching for groups in the Import LDAP function, search results return.
Actual behavior
Due to the usage of WhitespaceWildcardsFilter, the search string has wildcards on both sides, which causes the search to time out in larger AD systems.
https://github.com/OHDSI/WebAPI/blob/master/src/main/java/org/ohdsi/webapi/user/importer/providers/AbstractLdapProvider.java#L31
Steps to reproduce behavior
Connect to AD, import LDAP groups, click on a role and try to search for an AD group using a part of the full group name.
I worked around this by making a modified version of the WhitespaceWildcardsFilter class that just adds the wildcard at the end. I do think perhaps this field shouldn't add wildcards, rather, let the user (which is most likely an admin) explicitly state the search string (with or without wildcards).
The text was updated successfully, but these errors were encountered: