In a typical user login query, the code tries to work out the PSO 2-3 times - once for the msDS-ResultantPSO attribute, and then again for the msDS-User-Account-Control-Computed & msDS-UserPasswordExpiryTimeComputed constructed attributes.
The PSO calculation is reasonably expensive, mostly due to the nested groups calculation. If we've already constructed the msDS-ResultantPSO attribute, then we can save ourselves extra work by just re-fetching the result directly, rather than expanding the nested groups again from scratch.
The previous patch improves efficiency when there are no PSOs in the system. This should improve the case where there are PSOs that apply to the users. (Unfortunately, it won't help where there are some PSOs in the system, but no PSO applies to the user being queried).
Also updated sam.c so the msDS-ResultantPSO gets calculated first, before the other constructed attributes.
2fa2f132ae3 dsdb: Avoid calculating the PSO multiple times
source4/auth/sam.c | 9 ++++++-
source4/dsdb/samdb/ldb_modules/operational.c | 39 ++++++++++++++++++++++++++--
2 files changed, 45 insertions(+), 3 deletions(-)