https://bugs.openldap.org/show_bug.cgi?id=9795
Issue ID: 9795 Summary: Remove memberof overlay Product: OpenLDAP Version: 2.6.1 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: quanah@openldap.org Target Milestone: ---
The memberof overlay was deprecated with the release of OpenLDAP 2.5. It should be removed prior for the next minor release (i.e., 2.7)
https://bugs.openldap.org/show_bug.cgi?id=9795
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Assignee|bugs@openldap.org |quanah@openldap.org Target Milestone|--- |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=9795
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |---
https://bugs.openldap.org/show_bug.cgi?id=9795
--- Comment #1 from best@univention.de best@univention.de --- The slapo-memberof(5) man page currently says:
Note that this overlay is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is especially discouraged.
We tried to test the dynlist overlay module as replacement but have huge performance problems in domains with 200.000 users.
with dynlist module (and nested group evaluation):
$ time ldapsearch … uid=testuser548 memberOf … real 0m21,885s user 0m0,176s sys 0m0,067s
with dynlist module (without nested group evaluation):
$ time ldapsearch … uid=testuser548 memberOf … real 0m12,797s user 0m0,186s sys 0m0,032s
with memberOf module:
$ time ldapsearch … uid=testuser548 memberOf … real 0m0,248s user 0m0,176s sys 0m0,033
our slapd configuration:
overlay dynlist dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup*
and without nested evaluation:
dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup
Can you elaborate why it should be removed? What are the real problems with using it? And if these performance problems are known and tracked to be fixed?
https://bugs.openldap.org/show_bug.cgi?id=9795
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|UNCONFIRMED |RESOLVED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Going to fix the fundamental replication issues with memberOf instead.
https://bugs.openldap.org/show_bug.cgi?id=9795
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org