For large groups, eg. ipausers with 30K users, the method tries to get members of it members.

The ldap search is done with:

• base dn: api.env.basedn
• time_limit: configured time limit, by default 2s
• size_limit: configured size limit, by default 100 entries
• paged_search=True
• filter: (memberOf=cn=ipausers,cn=groups,cn=accounts,dc=example,dc=com)

With 30k member users, this search is inefficient and returns a lot of results. With time_limit=2s, it's good chance, that it will fail with limits exceeded error. If not, it will do 300 paged searches because of paged_search=true and size_limit=100.

Result

• huge performance hit on 389 server
• ipa client time outs before it gets response
• ipa group-find, ipa group-show basically unusable

Possible improvements:

• limit filter to include only objects of which can have members. E.g. for groups search only for groups and not users.
• limit base_dn (because of ^^)