Re: dynlist vs memberof performance issues

On 7/25/22 19:38, Shawn McKinney wrote: In my case searching by 'memberOf' is not only done for determining the users' group memberships. It is used to also effeciently retrieve the users' attributes. Example: For Æ-DIR my aehostd uses 'memberOf' search to select only subsets of users indirectly referenced via user groups by so-called service groups (see https://www.ae-dir.com/docs.html#er-roles) to retrieve the passwd map data. Another approach I was thinking about is using deref control on attribute 'member' when reading the group entry. But this would mean that I potentially read user data several times if the user is member of several groups referenced by same service groups (which is the case most times). In opposite to that a filter (|(memberOf=..)(memberOf=..)) only retrieves the user entry *once*. And there were also issues with deref control and set-based ACLs: https://bugs.openldap.org/show_bug.cgi?id=9800 I'm thinking about how to get rid of slapo-memberof for quite a while now... BTW: You can access the Æ-DIR online demo via LDAPS and HTTPS and try out yourself: https://www.ae-dir.com/demo.html https://demo.ae-dir.com/web2ldap Ciao, Michael.