Reduce redundant LDAP calls without caching

[piyush-sadangi]

Applicable Issues

Description of the Change

Basics
LDAP protocol: It is a protocol used for accessing and maintaining distributed directory information services over a network. It's commonly used for managing user information and facilitating authentication and authorization.

LDAP Directory: This acts like a database, but unlike traditional databases that are table-based, LDAP directories are tree-structured. They store entries (like users) in a hierarchical format.
Context Source (LdapContextSource):

LdapContextSource: It is a configuration setup that provides details about how to connect to the LDAP server. It includes information such as the URL of the LDAP server, credentials to access it (if necessary), and the base directory from which to perform operations.

Direct Bind: In LDAP terminology, "binding" is the method by which LDAP clients authenticate to the LDAP server. A "direct bind" involves attempting to connect (or "bind") to the LDAP server using a complete user DN (Distinguished Name, which is the unique path to a specific entry in the LDAP directory) and password.

BindAuthenticator: This is a component used in Spring Security that performs authentication by attempting a direct bind with the LDAP server. It's different from just querying the server with a username/password combination; it actually tries to establish a connection using those credentials.

How BindAuthenticator works?

1. Search and Bind: First, a search is conducted in the LDAP directory to find the user's DN based on a username provided during the authentication process.
   Once the DN is located, BindAuthenticator attempts to bind to the LDAP server using that DN and the password supplied by the user.
2. Configuration: You configure BindAuthenticator with a LdapContextSource (provides connection details to LDAP) and possibly a user search mechanism (FilterBasedLdapUserSearch in your setup), which helps locate the user's DN based on a search filter.

Earlier vs Now approach

1. Earlier: We relied on a high-level abstration that uses Spring Security's ldapAuthentication() DSL (Domain Specific Language) to simplify the configuration. Internally it performs many of the same steps as the manual configuration, but with reasonable defaults. This was leading to 6 LDAP calls.
2. Now: We switched to BindAuthenticator to have precise control over the LDAP authentication setup. It combines the search and authentication steps into a closely managed process. This reduces the overhead of separate calls for user retrieval and verification.

On closely, monitoring the wireshark details, we see reduction of LDAP calls from 6 to 4, with BindAuthenticator removing redundant LDAP calls.

Alternate Designs

Possible Drawbacks

Sign-off

Developer's Certificate of Origin 1.1

By making a contribution to this project, I certify that:

(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or

(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or

(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.

(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.

Signed-off-by:

[shudhansu-shekhar]

+1

[vishnu-alapati]

Tested, working as expected.

[vishnu-alapati]

tested, working as expected

[shudhansu-shekhar]

Look fine