...
Performance/Comparison - Currently, each returned LDAP property is compared with the property saved in the user’s record. If any of the properties are different, the existing record's fields are updated with the new attribute values. Adding the update of images in this manner will not scale very well. When retrieving LDAP data, currently all user-defined(?) attributes are returned. Images should only be returned when necessary. Updating images should potentially be a separate phase in LDAP Sync where the query could take advantage of the modifyTimestamp attributes in OpenLDAP and AD/LDAP. This may be a way to improve our entire LDAP Sync process.
After more research, the modifyTimestamp attribute will probably not be usable for this query. First, the attribute may not be present. The LDAP spec doesn’t actually require this attribute, but instead says it SHOULD be present. "Servers SHOULD maintain the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' attributes for all entries of the DIT.” In addition, the attribute is not always replicated, meaning that different servers may have different values. Therefore, we probably cannot depend on this attribute for our updating.
In order to compare the photos, a hash should be created and stored. Currently, when we add a photo to Mattermost, the photo is manipulated before we save it. The comparison and hash should be made before this manipulation. This will also require when syncing Ldap Users, the images will always need to be returned from LDAP. Currently, if the LDAP system supports images, they are always being returned. Because we don’t request specific attributes, all user-defined attributes are returned. One improvement is requesting only those attributes required based on the attributes setup in the configuration. Installations not syncing images would not bring them from LDAP. A second improvement is to page the requests from the LDAP system. Currently, we bring back all LDAP users, which could be well over 100k users.