Univention Bugzilla – Bug 54417
The memberof overlay is deprecated in OpenLDAP 2.5 and will been removed in OpenLDAP 2.7
Last modified: 2023-11-14 18:08:18 CET
The memberof overlay modules will be removed in OpenLDAP 2.7. https://bugs.openldap.org/show_bug.cgi?id=9795 In the mailing list a question about replacement occurred: > documented in the slapo-memberof(5) man page: > > <https://www.openldap.org/software/man.cgi?query=slapo-memberof&apropos=0&sektion=0&manpath=OpenLDAP+2.5-Release&arch=default&format=html> > > " Note that this overlay is deprecated and support will be dropped in > future OpenLDAP releases. Installations should use the dynlist overlay > instead. Using this overlay in a replicated environment is especially > discouraged. > "
We will still use memberof in UCS 5.2. dynlist does not yet meet our performance requirements.
We tried to test the dynlist overlay module as replacement but have huge performance problems in domains with 200.000 users. with dynlist module (and nested group evaluation): > $ time ldapsearch … uid=testuser548 memberOf > … > real 0m21,885s > user 0m0,176s > sys 0m0,067s with dynlist module (without nested group evaluation): > $ time ldapsearch … uid=testuser548 memberOf > … > real 0m12,797s > user 0m0,186s > sys 0m0,032s with memberOf module: > $ time ldapsearch … uid=testuser548 memberOf > … > real 0m0,248s > user 0m0,176s > sys 0m0,033 our slapd configuration: > overlay dynlist > dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup* and without nested evaluation: > dynlist-attrset groupOfURLs memberURL uniqueMember+memberOf@posixGroup