https://bugs.openldap.org/show_bug.cgi?id=9795
--- Comment #1 from best@univention.de best@univention.de --- The slapo-memberof(5) man page currently says:
Note that this overlay is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is especially discouraged.
We tried to test the dynlist overlay module as replacement but have huge performance problems in domains with 200.000 users.
with dynlist module (and nested group evaluation):
$ time ldapsearch … uid=testuser548 memberOf … real 0m21,885s user 0m0,176s sys 0m0,067s
with dynlist module (without nested group evaluation):
$ time ldapsearch … uid=testuser548 memberOf … real 0m12,797s user 0m0,186s sys 0m0,032s
with memberOf module:
$ time ldapsearch … uid=testuser548 memberOf … real 0m0,248s user 0m0,176s sys 0m0,033
our slapd configuration:
overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup*
and without nested evaluation:
dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup
Can you elaborate why it should be removed? What are the real problems with using it? And if these performance problems are known and tracked to be fixed?