I am using 2009.02.14 DokuWiki on Windows Server 2003 + IIS with acl, blog, comments etc. with AD passthrough authentication.
I have configured AD integration using this
http://www.dokuwiki.org/auth:ad manual. I noticed that Wiki become extremely slow. I captured TCP streams and I noticed excessive LDAP communication. I belong to 46 AD groups. ADldap was retrieving memberOf attribute for every of these groups and then their parent groups recursively. I had to block "recursive_groups" lookup to make performance usable. Even after this mod Wiki retrieves 170kB of data from AD server just to load the start page.
I have found that both doku.php and indexer.php would do some ldap operations on each execution.
Auth.php is included in doku.php and unconditinally creates ad_auth object. Constructor of ad_auth will open tcp connection to ldap server. This means that each pass of doku.php (and indexer.php) casues 1 tcp connection to ldap wheather it is needed or not:
39 if (class_exists($auth_class)) {
40 $auth = new $auth_class();
Later in auth.php there is a series of conditional statements trying to reuse the previous authentication, but there is something wrong there. Each time the execution eventually goes to line 86:
86 auth_login($_REQUEST['u'],$_REQUEST['p'],$_REQUEST['r'],$_REQUEST['http_credentials']);
which causs user validation against ldap server and new attempt to set a cookie, as well as next user_info call that queries ldap for group membership - potentially slow. Even if the cookie contains information from the previous run the script keeps rewriting it.
I guess there is something wrong with conditionals in auth.php intended for reusing previous login as well as there is an unnecessary creation of ldap on the beginning.
The problem becomes really severe if I install plugins like "blog", "comment", "sidebar". Each plugin loads auth.php and number of unnecessary calls to ldap starts to grow rapidly (e.g. 2 additional calls for every comment, blog entry etc.)