member/memberOf and samldb.c

Luke Howard lukeh at
Mon Aug 29 12:24:29 GMT 2005

>that could be a bit tricky for us, though I can see the advantages of
>using a GUID or similar unique token.

BTW, in XAD we don't store the "member" values in the group entry at
all, they are virtualized as is "memberOf". So the performance impact
is identical no matter which way you read the entry :-)

Also, we found that this model was easier to adapt to support linked
value replication than it would be if we just stored the DN, because
of the extra metadata that needs to be stored.

>If a user is a member of just a few groups then this would be OK, but
>if a user is a member of hundreds of groups then this would get really

Well, we haven't noticed any real performance problems with hundreds
of groups. OpenLDAP does a bunch of caching at the DB layer that may
help here. Simple name lookups (eg. GUID to DN) should be fast. But
to answer you directly, we don't avoid O(n).

-- Luke


More information about the samba-technical mailing list