Merge branch 'ldap-pool' into 'main'

Add support for pooled LDAP connections

See merge request yaal/canaille!338

Author: azmeuk

CHANGES.rst

@@ -3,7 +3,8 @@
 
 Added
 ^^^^^
-- Add SQL database configuration parameters.
+- SQL database configuration parameters.
+- Pooled LDAP connection support.
 
 [0.2.4] - 2026-04-08
 --------------------

canaille/backends/ldap/backend.py

@@ -11,6 +11,8 @@
 from ldap.controls.ppolicy import PasswordPolicyControl
 from ldap.controls.ppolicy import PasswordPolicyError
 from ldap.controls.readentry import PostReadControl
+from ldappool import ConnectionManager
+from ldappool import StateConnector
 
 from canaille.app import models
 from canaille.app.configuration import CheckResult
@@ -27,6 +29,17 @@
 from .utils import python_attrs_to_ldap
 
 
+def _make_connector_cls(network_timeout):
+    """Create a StateConnector subclass that sets OPT_NETWORK_TIMEOUT."""
+
+    class _Connector(StateConnector):
+        def __init__(self, *args, **kwargs):
+            super().__init__(*args, **kwargs)
+            self.set_option(ldap.OPT_NETWORK_TIMEOUT, network_timeout)
+
+    return _Connector
+
+
 @contextmanager
 def ldap_connection(config):
     conn = ldap.initialize(config["CANAILLE_LDAP"]["URI"])
@@ -89,10 +102,22 @@ def default(self, obj):
 
 class LDAPBackend(Backend):
     json_encoder = LDAPModelEncoder
+    pool = None
 
     def __init__(self, config):
         super().__init__(config)
-        self._connection = None
+        ldap_config = self.config["CANAILLE_LDAP"]
+        LDAPBackend.pool = ConnectionManager(
+            uri=ldap_config["URI"],
+            bind=ldap_config["BIND_DN"],
+            passwd=ldap_config["BIND_PW"],
+            size=ldap_config["POOL_SIZE"],
+            max_lifetime=ldap_config["POOL_MAX_LIFETIME"],
+            retry_max=ldap_config["POOL_RETRY_MAX"],
+            retry_delay=ldap_config["POOL_RETRY_DELAY"],
+            timeout=ldap_config["TIMEOUT"],
+            connector_cls=_make_connector_cls(ldap_config["TIMEOUT"]),
+        )
 
     def init_app(self, app, init_backend=None):
         super().init_app(app, init_backend)
@@ -119,43 +144,25 @@ def setup_schemas(cls, config):
                     os.path.dirname(__file__) + "/schemas/oauth2-openldap.ldif",
                 )
 
-    @property
+    @contextmanager
     def connection(self):
-        if self._connection:
-            return self._connection
-
+        """Get a connection from the pool."""
         try:
-            self._connection = ldap.initialize(self.config["CANAILLE_LDAP"]["URI"])
-            self._connection.set_option(
-                ldap.OPT_NETWORK_TIMEOUT,
-                self.config["CANAILLE_LDAP"]["TIMEOUT"],
-            )
-            self._connection.simple_bind_s(
-                self.config["CANAILLE_LDAP"]["BIND_DN"],
-                self.config["CANAILLE_LDAP"]["BIND_PW"],
-            )
-
+            with self.pool.connection() as conn:
+                yield conn
         except ldap.SERVER_DOWN as exc:
             message = _("Could not connect to the LDAP server '{uri}'").format(
                 uri=self.config["CANAILLE_LDAP"]["URI"]
             )
             logging.error(message)
             raise ConfigurationException(message) from exc
-
         except ldap.INVALID_CREDENTIALS as exc:
             message = _("LDAP authentication failed with user '{user}'").format(
                 user=self.config["CANAILLE_LDAP"]["BIND_DN"]
             )
             logging.error(message)
             raise ConfigurationException(message) from exc
 
-        return self._connection
-
-    def teardown(self) -> None:
-        if self._connection:  # pragma: no branch
-            self._connection.unbind_s()
-            self._connection = None
-
     @classmethod
     def check_network_config(cls, config):
         from canaille.app import models
@@ -274,12 +281,12 @@ def gettext(x):
         return result, message
 
     def set_user_password(self, user, password) -> None:
-        conn = self.connection
-        conn.passwd_s(
-            user.dn,
-            None,
-            password.encode("utf-8"),
-        )
+        with self.connection() as conn:
+            conn.passwd_s(
+                user.dn,
+                None,
+                password.encode("utf-8"),
+            )
 
     def do_query(self, model, dn=None, filter=None, *args, **kwargs):
         from .ldapobjectquery import LDAPObjectQuery
@@ -325,9 +332,10 @@ def do_query(self, model, dn=None, filter=None, *args, **kwargs):
         ldapfilter = f"(&{class_filter}{arg_filter}{filter})"
         base = base or f"{model.base},{model.root_dn}"
         try:
-            result = self.connection.search_s(
-                base, ldap.SCOPE_SUBTREE, ldapfilter or None, ["+", "*"]
-            )
+            with self.connection() as conn:
+                result = conn.search_s(
+                    base, ldap.SCOPE_SUBTREE, ldapfilter or None, ["+", "*"]
+                )
         except ldap.NO_SUCH_OBJECT:
             result = []
         return LDAPObjectQuery(model, result)
@@ -475,9 +483,10 @@ def do_save(self, instance) -> None:
                 (ldap.MOD_REPLACE, name, values)
                 for name, values in formatted_changes.items()
             ]
-            _, _, _, [result] = self.connection.modify_ext_s(
-                instance.dn, modlist, serverctrls=[read_post_control]
-            )
+            with self.connection() as conn:
+                _, _, _, [result] = conn.modify_ext_s(
+                    instance.dn, modlist, serverctrls=[read_post_control]
+                )
 
         # Object does not exist yet in the LDAP database
         else:
@@ -488,24 +497,25 @@ def do_save(self, instance) -> None:
             }
             formatted_changes = python_attrs_to_ldap(changes, null_allowed=False)
             modlist = [(name, values) for name, values in formatted_changes.items()]
-            _, _, _, [result] = self.connection.add_ext_s(
-                instance.dn, modlist, serverctrls=[read_post_control]
-            )
+            with self.connection() as conn:
+                _, _, _, [result] = conn.add_ext_s(
+                    instance.dn, modlist, serverctrls=[read_post_control]
+                )
 
         instance.exists = True
         instance.state = {**result.entry, **instance.changes}
         instance.changes = {}
 
     def do_delete(self, instance) -> None:
         try:
-            self.connection.delete_s(instance.dn)
+            with self.connection() as conn:
+                conn.delete_s(instance.dn)
         except ldap.NO_SUCH_OBJECT:
             pass
 
     def do_reload(self, instance) -> None:
-        result = self.connection.search_s(
-            instance.dn, ldap.SCOPE_SUBTREE, None, ["+", "*"]
-        )
+        with self.connection() as conn:
+            result = conn.search_s(instance.dn, ldap.SCOPE_SUBTREE, None, ["+", "*"])
         instance.changes = {}
         instance.state = result[0][1]
 

canaille/backends/ldap/configuration.py

@@ -52,3 +52,29 @@ class LDAPSettings(BaseModel):
 
     GROUP_NAME_ATTRIBUTE: str = "cn"
     """The attribute to use to identify a group."""
+
+    POOL_SIZE: int = 10
+    """The number of connections to keep in the pool.
+
+    See the ``size`` parameter of :class:`ldappool.ConnectionManager`.
+    """
+
+    POOL_MAX_LIFETIME: int = 600
+    """Maximum lifetime of a connection in seconds.
+
+    Connections older than this are automatically closed and replaced.
+    Set to ``0`` to disable lifetime-based recycling.
+    See the ``max_lifetime`` parameter of :class:`ldappool.ConnectionManager`.
+    """
+
+    POOL_RETRY_MAX: int = 3
+    """Number of retry attempts when a connection fails.
+
+    See the ``retry_max`` parameter of :class:`ldappool.ConnectionManager`.
+    """
+
+    POOL_RETRY_DELAY: float = 0.1
+    """Delay in seconds between connection retry attempts.
+
+    See the ``retry_delay`` parameter of :class:`ldappool.ConnectionManager`.
+    """

canaille/backends/ldap/ldapobject.py

@@ -164,7 +164,6 @@ def must(cls):
 
     @classmethod
     def install(cls) -> None:
-        conn = LDAPBackend.instance.connection
         cls.ldap_object_classes()
         cls.ldap_object_attributes()
 
@@ -174,13 +173,14 @@ def install(cls) -> None:
             dn = f"{organizationalUnit}{acc},{cls.root_dn}"
             acc = f",{organizationalUnit}"
             try:
-                conn.add_s(
-                    dn,
-                    [
-                        ("objectClass", [b"organizationalUnit"]),
-                        ("ou", [v.encode("utf-8")]),
-                    ],
-                )
+                with LDAPBackend.instance.connection() as conn:
+                    conn.add_s(
+                        dn,
+                        [
+                            ("objectClass", [b"organizationalUnit"]),
+                            ("ou", [v.encode("utf-8")]),
+                        ],
+                    )
             except ldap.ALREADY_EXISTS:
                 pass
 
@@ -189,11 +189,10 @@ def ldap_object_classes(cls, force=False):
         if cls._object_class_by_name and not force:
             return cls._object_class_by_name
 
-        conn = LDAPBackend.instance.connection
-
-        res = conn.search_s(
-            "cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"]
-        )
+        with LDAPBackend.instance.connection() as conn:
+            res = conn.search_s(
+                "cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"]
+            )
         subschema_entry = res[0]
         subschema_subentry = ldap.cidict.cidict(subschema_entry[1])
         subschema = ldap.schema.SubSchema(subschema_subentry)
@@ -211,11 +210,10 @@ def ldap_object_attributes(cls, force=False):
         if cls._attribute_type_by_name and not force:
             return cls._attribute_type_by_name
 
-        conn = LDAPBackend.instance.connection
-
-        res = conn.search_s(
-            "cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"]
-        )
+        with LDAPBackend.instance.connection() as conn:
+            res = conn.search_s(
+                "cn=subschema", ldap.SCOPE_BASE, "(objectclass=*)", ["*", "+"]
+            )
         subschema_entry = res[0]
         subschema_subentry = ldap.cidict.cidict(subschema_entry[1])
         subschema = ldap.schema.SubSchema(subschema_subentry)

canaille/backends/ldap/models/core.py

@@ -56,8 +56,8 @@ def get_password_hash(self):
 
     def match_filter(self, filter):
         if isinstance(filter, str):
-            conn = LDAPBackend.instance.connection
-            return self.dn and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, filter)
+            with LDAPBackend.instance.connection() as conn:
+                return self.dn and conn.search_s(self.dn, ldap.SCOPE_SUBTREE, filter)
 
         return super().match_filter(filter)
 

pyproject.toml

@@ -205,6 +205,9 @@ devserver = [
 release = [
     "pyinstaller>=6.11.1",
 ]
+ldap = [
+    "ldappool>=3.0.0",
+]
 
 [project.scripts]
 canaille = "canaille.commands:cli"

tests/app/fixtures/current-app-config.toml

@@ -668,6 +668,28 @@ GROUP_BASE = "ou=groups,dc=example,dc=org"
 # The attribute to use to identify a group.
 # GROUP_NAME_ATTRIBUTE = "cn"
 
+# The number of connections to keep in the pool.
+#
+# See the size parameter of ldappool.ConnectionManager.
+# POOL_SIZE = 10
+
+# Maximum lifetime of a connection in seconds.
+#
+# Connections older than this are automatically closed and replaced. Set to 0 to
+# disable lifetime-based recycling. See the max_lifetime parameter of
+# ldappool.ConnectionManager.
+# POOL_MAX_LIFETIME = 600
+
+# Number of retry attempts when a connection fails.
+#
+# See the retry_max parameter of ldappool.ConnectionManager.
+# POOL_RETRY_MAX = 3
+
+# Delay in seconds between connection retry attempts.
+#
+# See the retry_delay parameter of ldappool.ConnectionManager.
+# POOL_RETRY_DELAY = 0.1
+
 [CANAILLE_OIDC]
 # Whether the Single Sign-On feature and the OpenID Connect API is enabled.
 # ENABLE_OIDC = true

tests/app/fixtures/default-config.toml

@@ -579,6 +579,28 @@ GROUP_BASE = "ou=groups,dc=example,dc=org"
 # The attribute to use to identify a group.
 # GROUP_NAME_ATTRIBUTE = "cn"
 
+# The number of connections to keep in the pool.
+#
+# See the size parameter of ldappool.ConnectionManager.
+# POOL_SIZE = 10
+
+# Maximum lifetime of a connection in seconds.
+#
+# Connections older than this are automatically closed and replaced. Set to 0 to
+# disable lifetime-based recycling. See the max_lifetime parameter of
+# ldappool.ConnectionManager.
+# POOL_MAX_LIFETIME = 600
+
+# Number of retry attempts when a connection fails.
+#
+# See the retry_max parameter of ldappool.ConnectionManager.
+# POOL_RETRY_MAX = 3
+
+# Delay in seconds between connection retry attempts.
+#
+# See the retry_delay parameter of ldappool.ConnectionManager.
+# POOL_RETRY_DELAY = 0.1
+
 [CANAILLE_OIDC]
 # Whether the Single Sign-On feature and the OpenID Connect API is enabled.
 # ENABLE_OIDC = true