On 7/25/22 19:38, Shawn McKinney wrote:
So, that gets us into looking at mitigation. One approach, focus on what the client does. For example, instead of searching across the user tree for membership to a particular group, it's far more efficient to just pull back that list from the group entry itself.
In my case searching by 'memberOf' is not only done for determining the users' group memberships. It is used to also effeciently retrieve the users' attributes.
Example:
For Æ-DIR my aehostd uses 'memberOf' search to select only subsets of users indirectly referenced via user groups by so-called service groups (see https://www.ae-dir.com/docs.html#er-roles) to retrieve the passwd map data.
Another approach I was thinking about is using deref control on attribute 'member' when reading the group entry. But this would mean that I potentially read user data several times if the user is member of several groups referenced by same service groups (which is the case most times). In opposite to that a filter (|(memberOf=..)(memberOf=..)) only retrieves the user entry *once*.
And there were also issues with deref control and set-based ACLs:
https://bugs.openldap.org/show_bug.cgi?id=9800
I'm thinking about how to get rid of slapo-memberof for quite a while now...
BTW: You can access the Æ-DIR online demo via LDAPS and HTTPS and try out yourself: https://www.ae-dir.com/demo.html https://demo.ae-dir.com/web2ldap
Ciao, Michael.