When you use roles to support your directory service, be aware of the following limitations.
If your directory tree is distributed over several servers by using the chaining feature, entries that define roles must be located on the same server as the entries that possess those roles. If one server, A, receives entries from another server, B, through chaining, those entries will contain the roles defined on B, but will not be assigned any of the roles defined on A.
The filter string of a filtered role cannot be based on the values of a CoS virtual attribute. However, the specifier attribute in a CoS definition may reference the nsRole attribute generated by a role definition. For information about CoS, see Chapter 9, Directory Server Class of Service.
You can extend the scope of roles to different subtrees but they must be on the same server instance. You cannot extend the scope of roles to other servers.
The nsRole attribute can be used in any search filter with any of the comparison operators. When you search on nsRole attribute, consider the following points:
Searches on the nsRole attribute can take a long time because all roles must be evaluated before the entries can be filtered.
Directory Server is optimized for equality searches on membership in managed roles. For example, this search will be nearly as fast as a search on real attributes.
The nsRoleDN attribute is indexed by default in all suffixes. Optimizations for searching the membership of managed roles are lost if indexing is disabled for the nsRoleDN attribute.
Searches for entries that contain a filtered role involve an internal search with the role filter. This internal operation will be fastest if all attributes that appear in the role filter are indexed in all suffixes in the scope of the role.