[Freeipa-devel] [PATCH] Enable filtering search results by member attributes.

[Rob Crittenden]

Pavel Zůna wrote:
> On 2010-11-30 04:06, Rob Crittenden wrote:
>> Pavel Zůna wrote:
>>> LDAPSearch base class has now the ability to generate additional
>>> options for objects with member attributes. These options are
>>> used to filter search results - search only for objects without
>>> the specified members.
>>>
>>> Any class that extends LDAPSearch can benefit from this functionality.
>>> This patch enables it for the following objects:
>>> group, netgroup, rolegroup, hostgroup, taskgroup
>>>
>>> Example:
>>> ipa group-find --no-users=admin
>>>
>>> Only direct members are taken into account, but if we need indirect
>>> members as well - it's not a problem.
>>>
>>> Ticket #288
>>>
>>> Pavel
>>
>> This works as advertised but I wonder what would happen if a huge list
>> of members was passed in to ignore. Is there a limit on the search
>> filter size (remember that the member will be translated into a full dn
>> so will quickly grow in size).
>>
>> Should we impose a cofigurable limit on the # of members to be excluded?
>>
>> Is there a max search filter size and should we check that we haven't
>> exceeded that before doing a search?
>>
>> rob
>
> I tried it out with more than a 1000 users and was getting an unwilling
> to perform error (search filter nested too deep).
>
> After a little bit of investigation, I figured the filter was being
> generated like this:
>
> (&(&(!(a=v))(!(a2=v2))))
>
> We were going deeper with each additional DN!
>
> I updated the patch to generate the filter like this instead:
>
> (!(|(a=v)(a2=v2)))
>
> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
> even slow.
>
> Updated patch attached.
>
> I also had to fix a bug in ldap2 filter generator, as a result this
> patch depends on my patch number 43.
>
> Pavel

You'll need to rebase this against master but otherwise ACK.

It might be a small optimization to de-dupe the no-users list but it 
isn't a priority.

rob