Thanks Clement for your response and blog for valsort usage (http://coudot.blogs.linagora.com/index.php/post/2013/01/07/Astuce-OpenLDAP-%3A-Des-groupes-dynamiques-Jamais-sans-tri-des-valeurs-!).

Dieter i didn't mention my search filter because i take the same base/scope/filter that i configure inside memberURL, and also my idea wasn't to compare my server configuration with others and yours, but just to understand why it take more time to search uniqueMember whitout valsort overlay than searching the entries locally.

Now, yes using valsort overlay decrease the time of  ldapsearch display for my 10K entries :

real    0m0.436s
user    0m0.010s
sys     0m0.009s

Where is it mention inside OpenLDAP documentation/faq that performance are better with valsort and what is the threshold for using it (eg how many uniqueMember? ) ?


Le 27/11/13, Dieter Klünter <dieter@dkluenter.de> a écrit :
Am Wed, 27 Nov 2013 10:46:40 +0100
schrieb "POISSON Frédéric" <frederic.poisson@admin.gmessaging.net>:

> Hello,
> I'm testing the dynlist overlay on OpenLDAP 2.4.38 because i have a
> static group of around 10K uniqueMember. I want to have now a
> equivalent group with dynlist.
> I have configured my overlay dynlist like this :
> dn: olcOverlay={2}dynlist,olcDatabase={1}bdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcDynamicList
> olcOverlay: {2}dynlist
> olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember
> And my group is quite like OpenLDAP example in documentation :
> dn: cn=GeneralisationDyn,ou=Groups,dc=example,dc=com
> objectClass: top
> objectClass: groupOfURLs
> cn: GeneralisationDyn
> memberURL:
> ldap:///ou=People,dc=example,dc=com??one?(objectClass=person)
> uniqueMember: uid=user1,ou=People,dc=example,dc=com uniqueMember:
> uid=user2,ou=People,dc=example,dc=com [...]
> My backend is Berkeley DB and i have tune it in order to have quite
> fast responses on searches, and locally on my server (virtualized
> with a single proc), it take that time to return the entries found by
> memberURL :
> real 0m0.272s
> user 0m0.040s
> sys 0m0.023s
> If i run an ldapsearch to see all uniqueMember of my dynamic group it
> take around 8 to 10 seconds to have the output !
> Why a so big difference of response time in a search of entries and a
> search of uniqueMember inside a dynamic group ? Is there some tuning
> for dynlist plugin ?
> Notice also that when i search uniqueMember inside my static group
> with quite same number of uniqueMember) i have less than 0.1 seconds
> of real time.

You didn't mention the search string and filter, but here my results of
5,000 entries

time ldapsearch -Y DIGEST-MD5 -U replicator -wxxxx -l0 -z0 -H
ldap://localhost -b cn=dynamicGroup,o=avci,c=de -s base "*"
[5000 lines]

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

real 0m0.606s
user 0m0.014s
sys 0m0.027s


Dieter Klünter | Systemberatung
GPG Key ID:DA147B05


Frederic Poisson