https://bugs.openldap.org/show_bug.cgi?id=10025
Issue ID: 10025 Summary: Add option to disable filtered searches for memberURL groups Product: OpenLDAP Version: 2.5.14 Hardware: All OS: All Status: UNCONFIRMED Keywords: needs_review Severity: normal Priority: --- Component: overlays Assignee: bugs@openldap.org Reporter: subbarao@computer.org Target Milestone: ---
One of the changes from 2.4 to 2.5 is that dynlist groups are now returned with (member=memberDN) searches. This is potentially appealing, but even with the ITS#9929 performance improvements, given the number of dynlist groups we have, search times are significantly impacted.
We'd like to be able to cleanly disable this feature and exclude dynlist groups from (member=memberDN) filter consideration. The only way I've found so far is to patch the dynlist code itself. What I'm currently doing is adding a continue statement right above this line in dynlist_search():
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14/se...
That way the member searches are excluded, but dynlists otherwise work as expected.
Here is the dynlist config we're using, just basic support for groupOfURLs/memberURL:
overlay dynlist dynlist-attrset groupOfURLs memberURL member
I'd like to request a configurable option to exclude dynlists from (member=memberDN) searches.
https://bugs.openldap.org/show_bug.cgi?id=10025
subbarao@computer.org subbarao@computer.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|Add option to disable |Add option to disable |filtered searches for |member=memberDN searches |memberURL groups |for memberURL groups
https://bugs.openldap.org/show_bug.cgi?id=10025
--- Comment #1 from Howard Chu hyc@openldap.org --- I suggest you just compile the 2.4 dynlist overlay instead, if you don't want the 2.5 features.
https://bugs.openldap.org/show_bug.cgi?id=10025
--- Comment #2 from subbarao@computer.org subbarao@computer.org --- Hi Howard, I've already deployed a short-term fix as described above. What I'm looking for with this enhancement request is a long-term supported configuration option that doesn't require compiling code (e.g. available in the standard Ubuntu slapd package, etc).
I'd expect that environments with lots of dynamic groups will suddenly be bitten by this issue when upgrading from 2.4 to 2.5. The overhead is significant -- each new dynamic group makes member=memberDN searches go noticeably slower. We don't want a common-case search performance to keep degrading just because someone added some more dynamic groups.
It seems like a fairly simple enhancement request to add, so I was hoping you could consider it. Apart from timing and prioritizing, do you have any concerns about the merits of this feature request?
https://bugs.openldap.org/show_bug.cgi?id=10025
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|needs_review | Target Milestone|--- |2.7.0
https://bugs.openldap.org/show_bug.cgi?id=10025
Howard Chu hyc@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Ever confirmed|0 |1 Status|UNCONFIRMED |IN_PROGRESS
--- Comment #3 from Howard Chu hyc@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/640
Please test, thanks.
https://bugs.openldap.org/show_bug.cgi?id=10025
--- Comment #4 from subbarao@computer.org subbarao@computer.org --- On 7/31/23 1:45 PM, openldap-its@openldap.org wrote:
--- Comment #3 from Howard Chu hyc@openldap.org --- https://git.openldap.org/openldap/openldap/-/merge_requests/640
Please test, thanks.
Tested, works as expected, thanks Howard! Nice use of goto :-)
Regards,
-Kartik
https://bugs.openldap.org/show_bug.cgi?id=10025
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED
--- Comment #5 from Quanah Gibson-Mount quanah@openldap.org --- • 2494ade7 by Howard Chu at 2023-11-21T16:41:02+00:00 ITS#10025 slapo-dynlist: add option to disable filter support
https://bugs.openldap.org/show_bug.cgi?id=10025
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.7.0 |2.5.17
https://bugs.openldap.org/show_bug.cgi?id=10025
--- Comment #6 from Quanah Gibson-Mount quanah@openldap.org --- RE26:
• 3e25c6d9 by Howard Chu at 2024-01-23T18:44:37+00:00 ITS#10025 slapo-dynlist: add option to disable filter support
RE25:
• 41beafbd by Howard Chu at 2024-01-23T18:46:21+00:00 ITS#10025 slapo-dynlist: add option to disable filter support
https://bugs.openldap.org/show_bug.cgi?id=10025
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org