Andrew Findlay wrote:
> We have a tool (BMC Identity Management (formerly Control-SA))
Check how it modifies the groups.
First of all it's not clear to me whether the original poster really meant
If it rewrites the whole set of 'member' attributes each time
then you are
forcing the server to re-index every value.
Not only that it's horribly inefficient. With this approach you run into the
famous security issue back in those Windows 2000 days where removed group
members were accidently re-added because of concurrent write access.
The efficient way to do this is to specify the value that you want
remove or the one you want to add. It should be very quick.
Additionally LDAP PDUs manipulating many values at once grow very big.
Also look at your replication setup. With this sort of data you
do need delta mode.
delta-syncrepl would only help if group membership is changed only for a few
members in one modify request.