On 7/25/22 19:38, Shawn McKinney wrote:
So, that gets us into looking at mitigation. One approach, focus on
what the client does. For example, instead of searching across the
user tree for membership to a particular group, it's far more
efficient to just pull back that list from the group entry itself.
In my case
searching by 'memberOf' is not only done for determining the
users' group memberships. It is used to also effeciently retrieve the
For Æ-DIR my aehostd uses 'memberOf' search to select only subsets of
users indirectly referenced via user groups by so-called service groups
) to retrieve the passwd
Another approach I was thinking about is using deref control on
attribute 'member' when reading the group entry. But this would mean
that I potentially read user data several times if the user is member of
several groups referenced by same service groups (which is the case most
times). In opposite to that a filter (|(memberOf=..)(memberOf=..)) only
retrieves the user entry *once*.
And there were also issues with deref control and set-based ACLs:
I'm thinking about how to get rid of slapo-memberof for quite a while now...
BTW: You can access the Æ-DIR online demo via LDAPS and HTTPS and try