Description
Symptoms
When groups that are synchronized from the remote directory have members that are outside of the user or group filter / dn, Crowd may issue additional query to the remote directory in order to fetch those objects. During full synchronization this additional query is superfluous and does not influence the correctness of membership resolution.
Example
Crowd directory is configured as follows:
- pull groups from dn: ou=Groups
- pull users from dn: ou=Users
LDAP directory group contains members outside of ou=Groups and outside of ou=Users:
dn: cn=my-group,ou=Groups objectClass: groupOfUniqueNames objectClass: top cn: my-group uniqueMember: cn=john,ou=Users uniqueMember: cn=bot-account,ou=Automation
In such situation Crowd, during synchronisation, will issue additional query to remote directory in order to fetch cn=bot-account,ou=Automation, which was not fetched before as the group dn configured in Crowd is ou=Groups.
This additional query may become a timing culprit in situation where there are many additional member objects in groups that are outside of the scope configured and when the LDAP server is slow to respond.
Workaround
None at this point