One of the changes from 2.4 to 2.5 is that dynlist groups are now
returned with (member=memberDN) searches. This is potentially appealing,
but even with the ITS#9929 performance improvements, given the number of
dynlist groups we have, search times are significantly impacted.
We'd like to be able to cleanly disable this feature and exclude dynlist
groups from (member=memberDN) filter consideration. The only way I've
found so far is to patch the dynlist code itself. What I'm currently
doing is adding a continue statement right above this line in
dynlist_search():
https://git.openldap.org/openldap/openldap/-/blob/OPENLDAP_REL_ENG_2_5_14/servers/slapd/overlays/dynlist.c#L1830
That way the member searches are excluded, but dynlists otherwise work
as expected.
Here is the dynlist config we're using, just basic support for
groupOfURLs/memberURL:
overlay dynlist
dynlist-attrset groupOfURLs memberURL member
Is there some way to achieve my goal without having to patch the code?
Or should I open an ITS feature request to add a configurable option to
exclude dynlists from member searches?
Thanks,
-Kartik
