C＃LDAP性能 [英] C# LDAP performance

问题描述

我在哪里工作，我们有两种身份验证方式：

Where I work, we have two modes of authentication:

• 在CAS（ http://www.jasig.org/cas ）
• LDAP

CAS是主要方法，但它往往是不可靠的流量峰值的时候，所以我们一直在使用LDAP作为备用模式时，我们注意到，CAS是下来。 previously，我们使用PHP做我们的LDAP回落，并获得合理的性能。有没有登录以外的预期网络滞后时间期间明显的延迟。一个登录了大概〜250-500ms使用LDAP来完成。

CAS is the primary method, but it is often unreliable at peak traffic times and so we have been using LDAP as a fallback mode for when we notice that CAS is down. Previously, we were using PHP for doing our LDAP fallback and got reasonable performance. There wasn't a noticeable delay during login other than the expected network lag times. A login took probably ~250-500ms to complete using LDAP.

现在，我们正在做一个新的系统，并选择ASP.NET MVC4为平台，而不是PHP的，我负责试图让这个后备再次合作。我一直在拉我的头发大约6小时，现在尝试不同的事情一遍又一遍，得到了同样的结果（也许我是疯了）。我终于成功地连接到LDAP，验证用户的身份，并从LDAP获取其属性。但是，查询始终需要4.5秒完成无论用什么方法我试试。

Now, we are making a new system and have chosen ASP.NET MVC4 as the platform rather than PHP and I am tasked with trying to get this fallback working again. I have been pulling my hair out for about 6 hours now trying different things over and over again, getting the same result (perhaps I am insane). I have finally managed to connect to LDAP, authenticate the user, and get their attributes from LDAP. However, the query consistently takes 4.5 seconds to complete no matter what method I try.

这是的非常令人惊讶的给我看的PHP版本能够做几乎同样的事情在1/8的时间，它似乎是在.NET框架为LDAP出色的支持/活动目录。 我做得令人难以置信的可怕的错误？

This is very surprising to me seeing as the PHP version was able to do nearly the same thing in 1/8th the time and it would seem that the .NET framework has excellent support for LDAP/ActiveDirectory. Am I doing something incredibly horribly wrong?

下面是我的函数的胆量，因为它代表现在（这个是管理要尽力而为4.5秒查询最新的迭代）：

Here are the guts of my function as it stands now (this one is the latest iteration that manages to do everything in one 4.5 second query):

public Models.CASAttributes Authenticate(string username, string pwd)
{
    string uid = string.Format("uid={0},ou=People,o=byu.edu", username);

    LdapDirectoryIdentifier identifier = new LdapDirectoryIdentifier("ldap.byu.edu", 636, false, false);

    try
    {
        using (LdapConnection connection = new LdapConnection(identifier))
        {
            connection.Credential = new NetworkCredential(uid, pwd);
            connection.AuthType = AuthType.Basic;
            connection.SessionOptions.SecureSocketLayer = true;
            connection.SessionOptions.ProtocolVersion = 3;

            string filter = "(uid=" + username + ")";
            SearchRequest request = new SearchRequest("ou=People,o=byu.edu", filter, SearchScope.Subtree);
            Stopwatch sw = Stopwatch.StartNew();
            SearchResponse response = connection.SendRequest(request) as SearchResponse;
            sw.Stop();
            Debug.WriteLine(sw.ElapsedMilliseconds);
            foreach (SearchResultEntry entry in response.Entries)
            {
                Debug.WriteLine(entry.DistinguishedName);
                foreach (System.Collections.DictionaryEntry attribute in entry.Attributes)
                {
                    Debug.WriteLine(attribute.Key + " " + attribute.Value.GetType().ToString());
                }
                Debug.WriteLine("");
            }
        }
    }
    catch
    {
        Debugger.Break();
    }

    Debugger.Break();
    return null; //debug
}

这样做的PHP版本，遵循以下顺序：

The PHP version of this follows this sequence:

1. 匿名绑定和查询使用BaseDN中的用户信息和cn
2. 使用用户的用户名和密码再次绑定，看看他们是正宗的

它在1/8所花费的.NET版，做了两个时间绑定（连接？）！它这样的事情，这让我我失去了一些东西的事情。

It does two binds (connects?) in 1/8th the time it takes the .NET version to do one! Its this sort of thing that makes me thing I am missing something.

我曾尝试基于以下网站的方法：

I have tried methods based on the following sites:

• http://roadha.us/2013/04/ldap -Authentication-与-C-锐/ - 2需要查询做什么，我想要的是太慢了。我通过大概6个不同的尝试不同的做（不同的身份验证和放大器;连接设置，等等）去了。
• http://web.byu.edu/docs/ldap-authentication-0 - 一个PHP版本，但有关.NET底部的小片段。我需要得到的资料，以及他们是不完全的描述。
• <一个href="http://stackoverflow.com/questions/1846436/system-directoryservices-is-slow">System.DirectoryServices慢 - 当前版本

• http://roadha.us/2013/04/ldap-authentication-with-c-sharp/ - Required 2 queries to do what I wanted and was too slow. I went through probably 6 different tries of doing it differently (varying the authentication & connection settings, etc).
• http://web.byu.edu/docs/ldap-authentication-0 - One PHP version, but has a small snippet about .NET at the bottom. I needed to get the profile as well and they weren't exactly descriptive.
• System.DirectoryServices is slow? - Current version

编辑：

使用Wireshark的，我看到下面提出请求：

Using wireshark, I saw that the following requests are made:

1. bindRequest传递沿着我的UID（增量为0.7m​​s）
2. bindResponse成功（增量为2ms）
3. searchRequestOU =人，O = byu.eduwholdSubtree（增量为0.2ms）
4. searchResEntry的uid = 我的uid 的，OU =人，O = byu.edu| sea​​rchResDone成功1结果（增量10.8ms）
5. unbindRequest（增量55.7ms）

1. bindRequest passing along my uid (delta 0.7ms)
2. bindResponse success (delta 2ms)
3. searchRequest "ou=People,o=byu.edu" wholdSubtree (delta 0.2ms)
4. searchResEntry "uid=my uid,ou=People,o=byu.edu" | searchResDone success 1 result (delta 10.8ms)
5. unbindRequest (delta 55.7ms)

显然，开销从.NET而不是来自所述请求。这些加起来也不到了4.5秒以任何方式，形状或形式。

Clearly, the overhead is coming from .NET and not from the requests. These don't add up to 4.5 seconds in any way, shape, or form.

推荐答案

ldap.byu.edu 肯定看起来像一个完全合格的DNS主机名。你应该改变你的LdapDirectoryIdentifier构造新LdapDirectoryIdentifier（ldap.byu.edu，636，真，假）。

ldap.byu.edu sure looks like a fully qualified DNS host name. You should change your LdapDirectoryIdentifier constructor to new LdapDirectoryIdentifier("ldap.byu.edu", 636, true, false).

这篇关于C＃LDAP性能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！