LDAP synchronisation process takes too long if number of users or groups is large
症状
After integrating Confluence 3.5 or later with your LDAP server, the user synchronisation process takes an unacceptably long time or uses too much memory.
原因
Your LDAP server contains more than the number of users, groups and memberships supported by the synchronising LDAP functionality in Confluence (as per User Management Limitations and Recommendations).
If you are unable to reduce the number of users or groups visible to Confluence by configuring more restrictive LDAP filters, we recommend using an "Internal Directory with LDAP Authentication" as an alternative.
The migration process from Confluence 3.4 or earlier is described below.
ソリューション
Configure a new "Internal Directory with LDAP Authentication" directory and enable the options to copy users and their memberships on login:
- Upgrade to Confluence 3.5.13 or later.
- Ensure you DO NOT COPY your atlassian-user.xml configuration file across as the standard Upgrading Confluence procedure.
- Configure a new "Internal Directory with LDAP Authentication" directory with the same LDAP server and filter settings used in your previous Confluence install.
- Ensure the "Copy Users on Login" check box is ticked, and your User Schema Settings are filled out correctly
- Ensure the "Synchronise Group Memberships" check box is ticked, and your Group Schema Settings and Membership Schema Settings are filled out correctly.
- Run the migration script located at http://<baseURL>/admin/migrate-external-memberships.action.
If you have a large number of users the migration can be a time consuming process. As a guide, an instance with 115,000 users, 20,000 groups and 300,000 memberships will take approximately 1.5 hours.
Technical notes
The "Internal Directory with LDAP Authentication" directory does not attempt to synchronise user information with your LDAP server periodically. Instead, if the options are enabled, it will copy a single user's details and memberships when that user authenticates.
This means that users will only appear in Confluence after they successfully authenticate for the first time. Changes made in Confluence to a user's memberships will persist if the group was created by Confluence. If the group was created by LDAP, the user's memberships will revert to the state on the LDAP server next time they log in. To prevent a user logging in to Confluence, you can disable them through the Confluence UI.
The migration process done in the last step runs through all the users who had logged into Confluence 3.4 or earlier (as recorded in the external_entities table), and copies their details and memberships from LDAP.