https://bugs.openldap.org/show_bug.cgi?id=10041
Issue ID: 10041 Summary: unnecessary dynlist evaluation Product: OpenLDAP Version: 2.5.14 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: david.coutadeur@gmail.com Target Milestone: ---
Created attachment 963 --> https://bugs.openldap.org/attachment.cgi?id=963&action=edit openldap config + data for showing the dynlist usecase
Evaluation of member of dynamic groups by dynlist can be slow.
However, in some context, the evaluation is not necessary, especially when searching object that are not dynamic groups.
You can find attached a configuration and data file showing the use case: - 10000 users - 100 static groups - 5000 dynamic groups, with a filter (&(uid=user*)(objectClass=person), grabbing all users
Example of "normal" slow search ~ 115s:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(member=uid=user1,ou=people,dc=my-organization,dc=com)'
Example of abnormal slow search ~ 115s:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))'
Here, the filter about the objectClass could be evaluated first to avoid unnecessary search in dynamic groups.
Example of rapid search with DSA IT ~ 1ms:
ldapsearch -x -H 'ldap://localhost:389/' -D 'uid=admin,ou=people,dc=my-organization,dc=com' -w 'secret' -b 'ou=groups,dc=my-organization,dc=com' '(&(objectClass=groupOfNames)(member=uid=user1,ou=people,dc=my-organization,dc=com))' -M