Hi,
the standard search filter outlook users when searching for an X.509 certificate of an email address is
"(&(mail=*)(|(mail=John.Doe@anycomp.com*)(cn=John.Doe@anycomp.com*)(sn=John.Doe@anycomp.com*) (givenName=John.Doe@anycomp.com*)(displayName=John.Doe@anycomp.com*)))"
A ldapsearch using this filter times out on our openldap with about 210.000 user entries. After I created substring indexes over all of this attributes, it got faster, of course, but still is very slow and there still are timeouts sometimes. Every single combination like
"(&(mail=*)(givenname=John.Doe@anycomp.com*))"
works fast, but together the filter virtually does not work at all. I already tried to use ACLs to eliminate anonymous search over sn, givenname, displayname, but this does not speed up the search - I think the ldapsearch on this attributes is still taking place, only the results are not shown (?)
Obviously, the asterisk at the end of every mail-address does not speed up things at all…
Does anybody have a hint?
Thanks & kind regards,
Gerhard