[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

Martin Basti mbasti at redhat.com
Tue Jun 9 14:37:56 UTC 2015 

On 09/06/15 08:58, Fraser Tweedale wrote:
> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>> New patches attached.  Comments inline.
>> Thanks Fraser!
>>
>> ...
>>>> 5)
>>>> Missing referint plugin configuration for attribute
>>>> 'ipacaaclmembercertprofile'
>>>> Please add it into install/updates/25-referint.update (+ other member
>>>> attributes if missing)
>>>>
>>> Added this.  There is a comment in 25-referint.update:
>>>
>>>      # pres and eq indexes defined in 20-indices.update must be set
>>>      # for all the attributes
>>>
>>> Can you explain what is required here?  Is it just to add: I see
>>> things for memberUser and memberHost in indices.ldif but nothing for
>>> memberService.  Do I need to add to indices.ldif:
>>>
>>>      dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>>      changetype: add
>>>      cn: memberProfile
>>>      ObjectClass: top
>>>      ObjectClass: nsIndex
>>>      nsSystemIndex: false
>>>      nsIndexType: eq
>>>      nsIndexType: pres
>>>      nsIndexType: sub
>>>
>>> , and similarly for memberCa?  Sorry I do not know much about LDAP
>>> indexing.
>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive
>> index to use and I now cannot think of memberProfile search where you would
>> need a substring...
>>
>> Thanks,
>> Martin
> Updated patch attached, which adds the indices.  (Also rebased).
>
> There is a commit that seems to indicate that substring index is
> needed, so I have included substring indices in this patchset.
> Copied Honza in case he wants to comment.
>
>      commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>      Author: Jan Cholasta <jcholast at redhat.com>
>      Date:   Tue Jun 25 13:16:40 2013 +0000
>
>          Add missing substring indices for attributes managed by the referint plugin.
>
>          The referint plugin does a substring search on these attributes each time an
>          entry is deleted, which causes a noticable slowdown for large directories if
>          the attributes are not indexed.
>
>          https://fedorahosted.org/freeipa/ticket/3706
>
> Cheers,
> Fraser
ACK

Please send the upgrade patch ASAP :)

-- 
Martin Basti

More information about the Freeipa-devel mailing list