When I want to find entity (group/user) by name (using /v3/users?name=MyUser or /v3/groups?name=MyGroup) LDAP gets all data associated to entity (for example whole users database) and then filter it.
It should do filtering on query level in my opinion. It is very useful when having huge LDAP catalog.
How it works now:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for all user_filter matching entities
2. Filters out user (MyUser) I am looking for
How it should work:
If I want find user with name: MyUser...
1. Keystone queries LDAP in user_tree_dn for user matching both user_filter and ({user_name_attribute}=MyUser)
{user_name_attribute} is of course from keystone.conf or keystone.domainName.conf
This approach reduces data downloaded from LDAP and allows to have very large users database without shrinking it down by user_filter (no always possible) or using paging (also not always possible).
I heard that there was some effort to move filtering into query level but status is unknown.
We have the scaffolding in place for this but haven't extended it to the drivers yet. We may have a bug on this already or at least a blueprint. I'm assigning it over to henrynash to followup.
This is marked as wishlist because it isn't so much a bug as an enhancement.