I'm using nss and openldap on linux to get a list of passwd entries from active directory. I'm getting all the users from a nested group by doing
nss_base_passwd OU=peopleOU,DC=x?sub?memberof:1.2.840.113556.1.4.1941:=cn=Group1,OU=groupsOU,DC=x
I got the idea of using 1.2.840.113556.1.4.1941 from http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475%28v=vs.85%29.aspx
However, the performance is really bad. I'm guessing that the LDAP server is chaining each group of each user to find out if they are in the group. Is there a faster way of doing this? I imagine it'd be fastest to find the members of the group than to check every user if they are in the group, but how can I make a filter for that?
Also, the nested group names in the directory can be globbed, i.e., memberof=cn=Group1*,OU=groupsOU,DC=x
should also give me what I want, but that returns 0 users.
0 Answers