[Freeipa-devel] [PATCH] 810 speed up indirect member processing

Jan Cholasta jcholast at redhat.com
Mon Apr 20 07:51:13 UTC 2015 

Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a):
> On 04/08/2015 10:21 AM, Jan Cholasta wrote:
>> Hi,
>>
>> Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a):
>>> the old implementation tried to get all entries which are member of
>>> group. That means also user. User can't have any members therefore this
>>> costly processing was unnecessary.
>>>
>>> New implementation reduces the search only to entries which can have
>>> entries.
>>>
>>> Also page size was removed to avoid paging by small pages(default size:
>>> 100) which is very slow for many members.
>>>
>>> https://fedorahosted.org/freeipa/ticket/4947
>>>
>>> Useful to test with #809
>>
>> 1) To search for entries with members, you should search for entries
>> with the member attribute set ('(member=*)'), not for entries with some
>> arbitrary object class.
>
> Replaced, new presence index added
>
>>
>>
>> 2) I don't like how the search in get_memberindirect is limited to an
>> arbitrary hard-coded subtree. You should go through the object's
>> attribute_members to figure out which subtrees to search.
>>
>
> The subtree search was removed.
>
>>
>> 3) Since memberindirect and memberofindirect are not real attributes,
>> you must define their syntax in ipaldap before you cat set them using
>> .raw[], otherwise they will be decoded to wrong type.
>
> Added.
>
>>
>> 4) The processing of memberof should be done even when memberofindirect
>> is not requested, otherwise its value will depend on whether
>> memberofindirect was requested or not.
>
> True, but it's the same behavior as before. Could be changed in other
> patch.

OK. Should we file a ticket?

>
>>
>>
>> 5) I would prefer if all membership processing
>> (.convert_attribute_members() and .get_indirect_members()) was done in a
>> single LDAPObject method.
>
> Now, as before, get_indirect_members is called before post callbacks and
> convert_attribute_members after. If it should be combined, it should be
> done separately.

OK, but at least move get_indirect_members to LDAPObject.

>
>>
>>
>> Honza
>>


-- 
Jan Cholasta

More information about the Freeipa-devel mailing list