Optimize the total number of LDAP connections

[fredreichbier]

We assume an application that uses a service account to lookup the DN from a login name. Then, the login flow results in several LDAP connections established by the LDAP proxy or privacyIDEA. The flow looks like this:

• User enters credentials, app looks up DN via the LDAP proxy (LDAP Connection 1)
• App sends bind request to LDAP proxy
• LDAP proxy looks up login name from DN (LDAP Connection 2)
• LDAP proxy invokes /validate/check of privacyIDEA with the login name
• privacyIDEA looks up the UID attribute (e.g. entryUUID) of the LDAP entry connected with the login name to figure out the user's tokens (LDAP Connection 3)

In other words, one login attempt results in 3 additional LDAP Connections, which may be a performance bottleneck.

Ideas:

• Cache the DN<->login name mapping in the LDAP proxy, so that we do not need Connection 2. We could either populate the cache once and keep it for hours/days/weeks, or we could try to figure out the DN<->login name mapping in Connection 1 and cache it for some seconds.
• Retrieve the entryUUID in Connection 2 and pass it to privacyIDEA so that we do not need Connection 3. This would require a new privacyIDEA feature, in which we directly pass the user's UID to /validate/check instead of the login name.

[cornelinux]

Yes. There could be even more LDAP connections, if privacyIDEA is configured this way, that the user should use his LDAP password as OTP PIN.