On 02/03/2015 10:19 PM, Emmanuel Lécharny wrote: > Le 03/02/15 22:07, Stefan Seelmann a écrit : >> I forgot to mention the performance aspect. >> >> If you traverse all persons from the CEO down you need as many LDAP >> search operations as you have persons in the directory, each require a >> full network roundtrip, which takes time. > > What's the point of doing that when a ONE_LEVEL search done one level > below would provide all the entries with one single Search ?
If I understand Chris correctly the directory hierarchy and the logical organisational hierarchy are different. For example: dn: cn=ceo,ou=c,ou=b,ou=a directreports: cn=jane,ou=x,ou=w,ou=a directreports: cn=john,ou=z,ou=y,ou=a If that is the case the "directreports" are not LDAP child entries, but just pointer to somewhere in the directory tree. Similar to nested group membership. @Chris, if this is not the case then please ignore my mail and use ONE_LEVEL search to traverse the directory hierarchy, that is the preferred way. >> However if possible I'd avoid such a costly tree traversal, and instead >> use e.g. paged search. > Actually, it's probably better to abandon the request when you get what > you want, paged search will just mitigate the memory used on the client > side. >
