Skip to content
IdentityScribe

Version History
All versions All versions forward

Version v2.7.0 (2025-11-14)

Features

  • Virtual Attributes: Compute attribute values on-demand instead of storing them, solving performance and storage issues with massive multi-valued attributes (100k+ values).

    • Define attributes using LDAP filter expressions with variable substitution
    • Two patterns supported:
      • Cross-reference: Compute relationships to other entries (e.g., finding all groups a user belongs to via groupMembership)
      • Self-reference: Filter based on current entry’s attributes (e.g., computing userLevel based on departmentNumber)
    • Zero storage overhead and always up-to-date
    • Transparent to LDAP clients - virtual attributes work in searches, filters, and sorting
    • Optimized SQL queries leverage existing partitioning and indexing

    Configuration Example:

    ldap {
      virtualAttributes {
        # Cross-reference: Find all groups where this user is a member
        groupMembership {
          filter = "(member={{current.entryDN}})"
          value = "{{other.entryDN}}"
        }
    

        # Self-reference: Compute user level based on department
        userLevel {
          filter = "(departmentNumber=Executive)"
          value = "senior"
        }
      }
    }
    

    transcribes = [
      {
        type = "user"
        ldap {
          attributes = """
            cn, sn, mail, groupMembership, userLevel
          """
          # groupMembership and userLevel will be computed virtually
        }
      }
    ]

    Use Cases:

    • Massive multi-valued attributes like equivalentToMe on roles (prevents timeouts and database bloat)
    • Reverse lookups without storing redundant data (e.g., “show me all groups this user belongs to”)
    • Computed attributes based on entry’s own properties (e.g., access levels, flags)

    See reference.conf for complete documentation and additional examples.

Fixes

  • Checkpoint Advancement Under Load: Checkpoint timestamps now advance incrementally during continuous LDAP synchronization. Previously, checkpoints only updated when the system was idle, causing delays in offline delete detection and reconciliation. This fix improves responsiveness and ensures timely change detection even under sustained traffic.
  • Reduced Monitoring Overhead: Simplified Prometheus metric buckets for compression and entropy monitoring, reducing time series by ~40-50%. This lowers memory usage and speeds up dashboard queries while maintaining all actionable thresholds. Existing dashboards remain compatible with no changes required.
  • LDAP Connection Monitoring: Fixed an issue where LDAP connection metrics could show negative values in Prometheus monitoring. Connection tracking is now more accurate and reliable.
  • LDAP Search Performance: Improved search filter processing for extended DN match filters, ensuring more accurate results.
  • Enhanced Logging: Better diagnostic logging when operations are forwarded to the source LDAP server. Logs now include more context about entry types to help with configuration and troubleshooting.
  • Query Optimization: Improved performance of LDAP filter processing by optimizing queries for common operational attributes, reducing unnecessary database overhead.
  • SQL Function Optimization: Replaced PL/pgSQL functions with SQL functions to improve performance and reduce database overhead.
  • SQL Index Optimization: Gather statistics for function based indexes to help the query planner to use the right indexes.
  • Prometheus Metrics Restructuring: Reorganized LDAP forwarding metrics to ensure reliable metric collection and prevent registration errors. This change improves monitoring reliability but requires dashboard updates.