Spike: LDAP Profile Picture Updates

Owned by Scott Bishel
Last updated: Apr 10, 2020
2 min read

In order to retrieve and update Mattermost profile pictures from LDAP, we must understand how LDAP stores the images.

Microsoft Active Directory primarily stores profile images in an attribute with the name “thumbnailPhoto”. However, OpenLDAP uses the attribute “jpegPhoto”. AD also has the “jpegPhoto” attribute and could be used in AD as well. Therefore, we need to allow the administrator to enter the name of the profile photo attribute. Suggest that we include the two terms “jpegPhoto” and “thumbnailPhoto” in the help text under the textbox for Photo.

Image sizes - our documentation states we can handle a maximum file size of 50 mg. When importing files from LDAP we should check to ensure the size is under the 50mg maximum. The thumbnailPhoto has a size limit of 100kb. However, the “jpegPhoto” doesn’t enforce a size limit. We should potentially log a warning if a photo is above a certain size as transporting large files could hinder performance.

Image Types - Mattermost can support BMP, JPG or PNG format. It appears that LDAP supports both JPG and PNG format.

Performance/Comparison - Currently, each returned LDAP property is compared with the property saved in the user’s record. If any of the properties are different, the existing record's fields are updated with the new attribute values. Adding the update of images in this manner will not scale very well. When retrieving LDAP data, currently all user-defined(?) attributes are returned. Images should only be returned when necessary. Updating images should potentially be a separate phase in LDAP Sync where the query could take advantage of the modifyTimestamp attributes in OpenLDAP and AD/LDAP. This may be a way to improve our entire LDAP Sync process.

After more research, the modifyTimestamp attribute will probably not be usable for this query. First, the attribute may not be present. The LDAP spec doesn’t actually require this attribute, but instead says it SHOULD be present. "Servers SHOULD maintain the 'creatorsName', 'createTimestamp', 'modifiersName', and 'modifyTimestamp' attributes for all entries of the DIT.” In addition, the attribute is not always replicated, meaning that different servers may have different values. Therefore, we probably cannot depend on this attribute for our updating.

In order to compare the photos, a hash should be created and stored. Currently, when we add a photo to Mattermost, the photo is manipulated before we save it. The comparison and hash should be made before this manipulation. This will also require when syncing Ldap Users, the images will always need to be returned from LDAP. Currently, if the LDAP system supports images, they are always being returned. Because we don’t request specific attributes, all user-defined attributes are returned. One improvement is requesting only those attributes required based on the attributes setup in the configuration. Installations not syncing images would not bring them from LDAP. A second improvement is to page the requests from the LDAP system. Currently, we bring back all LDAP users, which could be well over 100k users.