Description Florian Best 2025-12-11 13:11:33 CET

There are multiple performance issues in the (use of) the function fast_member_add() and fast_member_remove() of groups/group objects. In fact, they are slow_member_add/remove():

1. The whole UDM group is loaded for every member change operation of users/computers while we would only need to do a LDAP operation to add or remove that user/computer in uniqueMember / memberUid values from the group.
2. After loading the group, a search for all the uniqueMember and memberUid attributes of the group is done again, while we already have those data. 
3. When a users/user username is renamed, for each group the user is part of the "memberUid" attribute is completely replaced (`ldap.MOD_REPLACE`) with a list of all values. → Bug #58840

4. Additionally the comparison of DNs is done incorrectly - it just compares DNs lowercase. That doesn't respect special chars in different encoded forms (e.g. + as \+ or \2B.
5. Code style is very bad and bloated. Some dead code exists.

What is affected?
1. post removal of a user
2. creation of a user
3. modification of group memberships of user
4. renaming or moving of users
1. post removal of a computer
2. creation of a computer
3. modification of group memberships of computers

We should instead:
→ simply make LDAP operations with the values we know - don't load any more objects
→ perform only `LDAP_ADD` and `LDAP_DEL` instead of `LDAP_REPLACE` modifications for multi value fields
- Switch to the new library `univention.dn.DN` for correct DN comparisons.

A sketch demonstrating it in Python expressions:

Prior:
```python
    # in users/user.py
    def __update_groups(self):
        old_groups = self.oldinfo.get('groups', [])
        new_groups = self.info.get('groups', [])
        # …
        for group in self.info.get('groups', []):
            if group and not case_insensitive_in_list(group, old_groups):
                # gets the whole group and unmap all attributes  
                grpobj = group_mod.object(None, self.lo, self.position, group)
                grpobj.fast_member_add([self.dn], [new_uid])

   # in groups/group.py
    def fast_member_add(self, memberdnlist, uidlist):
        ml = []
        uids = set()
        members = set()

        # another unnecessary search, as these information are already in self.oldattr
        searchResult = self.lo.authz_connection.get(self.dn, attr=['uniqueMember', 'memberUid'])
        if searchResult:
            uids = {x.decode('UTF-8').lower() for x in searchResult.get('memberUid', [])}
            members = {x.decode('UTF-8').lower() for x in searchResult.get('uniqueMember', [])}
        add_memberdnlist = [dn for dn in memberdnlist if dn.lower() not in members]

        if add_memberdnlist:
            ml.append(('uniqueMember', b'', [x.encode('UTF-8') for x in add_memberdnlist]))

        if ml:
            return self.lo.authz_connection.modify(self.dn, ml)
```

After:
```python
     def __update_groups(self) -> None:
        old_groups = DN.set(self.oldinfo.get('groups', []))
        new_groups = DN.set(self.info.get('groups', []))

        for group in (new_groups - old_groups):
            self.__fast_single_member_add(str(group), self.dn, new_uid)

    def __fast_single_member_add(self, group, member_dn, member_uid, **kwargs):
        ml = [
            ('memberUid', None, [member_uid.encode('UTF-8')]),
            ('uniqueMember', None, [member_dn.encode('UTF-8')]),
        ]
        self.lo.authz_connection.modify(group, ml, exceptions=True, **kwargs)
```

fast_member_add/remove were introduced in UCS 2.4 Bug #19211 git:6d878c9f0554c761ca97ff028f8dd882a93815cb