[Freeipa-devel] [PATCH] 810 speed up indirect member processing
Jan Cholasta
jcholast at redhat.com
Wed Apr 8 08:21:43 UTC 2015
Hi,
Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a):
> the old implementation tried to get all entries which are member of
> group. That means also user. User can't have any members therefore this
> costly processing was unnecessary.
>
> New implementation reduces the search only to entries which can have
> entries.
>
> Also page size was removed to avoid paging by small pages(default size:
> 100) which is very slow for many members.
>
> https://fedorahosted.org/freeipa/ticket/4947
>
> Useful to test with #809
1) To search for entries with members, you should search for entries
with the member attribute set ('(member=*)'), not for entries with some
arbitrary object class.
2) I don't like how the search in get_memberindirect is limited to an
arbitrary hard-coded subtree. You should go through the object's
attribute_members to figure out which subtrees to search.
3) Since memberindirect and memberofindirect are not real attributes,
you must define their syntax in ipaldap before you cat set them using
.raw[], otherwise they will be decoded to wrong type.
4) The processing of memberof should be done even when memberofindirect
is not requested, otherwise its value will depend on whether
memberofindirect was requested or not.
5) I would prefer if all membership processing
(.convert_attribute_members() and .get_indirect_members()) was done in a
single LDAPObject method.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list