git.samba.org - samba.git/commit

author	Tim Beale <timbeale@catalyst.net.nz>
	Wed, 19 Jun 2019 21:20:09 +0000 (09:20 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Wed, 24 Jul 2019 02:24:27 +0000 (02:24 +0000)
commit	630857c71eff6332a6c94292ee840fa86a727f10
tree	fbe7263b99cfaf5c074f2d7bc7708bc6151284b6	tree
parent	7abfa6778f309bc3c1cfdb45042f708e81cfad9d	commit \| diff

traffic_replay: Avoid DB full scans in LDAP searches

When generating LDAP search traffic, a full DB scan can be very costly.
Avoiding full-scan LDAP searches means that we can run traffic_replay
against a 100K user DB and get some sane results.

Because the traffic_learner doesn't record the LDAP search filter at all,
the traffic_replay LDAP searches default to being full scans.
Doing full scans meant that the LDAP search was usually the first packet
type to exceed the max latency and fail the test. It could also skew
results for the other packet types by creating big demands on memory/CPU/
DB-lock-time.

It's hard to know for sure exactly what real-world LDAP searches will
look like, but let's assume full scan searches will be fairly rare.
In traffic-model files we've collected previously, some of the
attributes are fairly unique (e.g. pKIExtendedKeyUsage), and as there
are some LDAP queries specified in MS specs (such as MS-GPOL and
MS-WCCE), it allows us to infer what the search filter might be.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

python/samba/emulate/traffic.py		diff \| blob \| history
python/samba/emulate/traffic_packets.py		diff \| blob \| history