https://bugs.openldap.org/show_bug.cgi?id=10025
Issue ID: 10025 Summary: Add option to disable filtered searches for memberURL groups Product: OpenLDAP Version: 2.5.14 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: subbarao@computer.org Target Milestone: ---
One of the changes from 2.4 to 2.5 is that dynlist groups are now returned with (member=memberDN) searches. This is potentially appealing, but even with the ITS#9929 performance improvements, given the number of dynlist groups we have, search times are significantly impacted.
We'd like to be able to cleanly disable this feature and exclude dynlist groups from (member=memberDN) filter consideration. The only way I've found so far is to patch the dynlist code itself. What I'm currently doing is adding a continue statement right above this line in dynlist_search():
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14/se...
That way the member searches are excluded, but dynlists otherwise work as expected.
Here is the dynlist config we're using, just basic support for groupOfURLs/memberURL:
overlay dynlist dynlist-attrset groupOfURLs memberURL member
I'd like to request a configurable option to exclude dynlists from (member=memberDN) searches.