By default when a user is added to or removed from a group we check if that group is a member of another group. We do this for each group that the user belongs to to the plugin can properly handle nested groups. If that same user already belongs to many groups, the plugin needs to perform a search for each one of those groups. This can get quite expensive, and can consume unexpected high amounts of cpu.
If you are not using nested groups then this “nested group” searching can be disabled.
This scenario becomes quite expensive if you have for example 10,000 groups with the same members. A single addition of a new member to a group can take a long time, and it will consume a lot of resources. If you are using nested groups then this is a performance hit you are going to have to accept, but if you are not using nested groups then this searching can be disabled.
A new configuration attribute has been added to the MemberOf Plugin that specifies if nested group searching should be skipped:
dn: cn=MemberOf Plugin,cn=plugins,cn=config
memberOfSkipNested: on|off
The default setting is “off”. Setting this value is applied dynamically and does not require a server restart to take effect.
If memberOfSkipNested is set to on, and there are nested groups, then the memberOf attribute in member entries will not be properly maintained.
None
New configuration attribute in the MemberOf plugin entry under cn=config
dn: cn=MemberOf Plugin,cn=plugins,cn=config
memberOfSkipNested: on|off
None
None
None
None