[Freeipa-devel] [PATCH] 810 speed up indirect member processing

Mon Apr 20 09:59:33 UTC 2015

On 04/20/2015 09:51 AM, Jan Cholasta wrote:
> Dne 9.4.2015 v 13:56 Petr Vobornik napsal(a):
>> On 04/08/2015 10:21 AM, Jan Cholasta wrote:
>>> Hi,
>>>
>>> Dne 31.3.2015 v 12:11 Petr Vobornik napsal(a):
>>>> the old implementation tried to get all entries which are member of
>>>> group. That means also user. User can't have any members therefore this
>>>> costly processing was unnecessary.
>>>>
>>>> New implementation reduces the search only to entries which can have
>>>> entries.
>>>>
>>>> Also page size was removed to avoid paging by small pages(default size:
>>>> 100) which is very slow for many members.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/4947
>>>>
>>>> Useful to test with #809
>>>
>>> 1) To search for entries with members, you should search for entries
>>> with the member attribute set ('(member=*)'), not for entries with some
>>> arbitrary object class.
>>
>> Replaced, new presence index added
>>
>>>
>>>
>>> 2) I don't like how the search in get_memberindirect is limited to an
>>> arbitrary hard-coded subtree. You should go through the object's
>>> attribute_members to figure out which subtrees to search.
>>>
>>
>> The subtree search was removed.
>>
>>>
>>> 3) Since memberindirect and memberofindirect are not real attributes,
>>> you must define their syntax in ipaldap before you cat set them using
>>> .raw[], otherwise they will be decoded to wrong type.
>>
>> Added.
>>
>>>
>>> 4) The processing of memberof should be done even when memberofindirect
>>> is not requested, otherwise its value will depend on whether
>>> memberofindirect was requested or not.
>>
>> True, but it's the same behavior as before. Could be changed in other
>> patch.
>
> OK. Should we file a ticket?

AFAIK, memberof and memberofindirect are requested always together atm. 
Do we have a use case for this change? In any case, I've opened a ticket 
about more finer control of fetching members (as was discussed 
previously in triage and dev mtgs), it might be part of it.

https://fedorahosted.org/freeipa/ticket/4995

>>
>>>
>>>
>>> 5) I would prefer if all membership processing
>>> (.convert_attribute_members() and .get_indirect_members()) was done in a
>>> single LDAPObject method.
>>
>> Now, as before, get_indirect_members is called before post callbacks and
>> convert_attribute_members after. If it should be combined, it should be
>> done separately.
>
> OK, but at least move get_indirect_members to LDAPObject.
>

Moved
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-pvoborni-0810-2-speed-up-indirect-member-processing.patch
Type: text/x-patch
Size: 13011 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150420/bb04b862/attachment.bin>