[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs

Martin Basti mbasti at redhat.com
Wed Jun 10 11:44:03 UTC 2015 

On 10/06/15 06:40, Fraser Tweedale wrote:
> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>> New patches attached.  Comments inline.
>>>> Thanks Fraser!
>>>>
>>>> ...
>>>>>> 5)
>>>>>> Missing referint plugin configuration for attribute
>>>>>> 'ipacaaclmembercertprofile'
>>>>>> Please add it into install/updates/25-referint.update (+ other member
>>>>>> attributes if missing)
>>>>>>
>>>>> Added this.  There is a comment in 25-referint.update:
>>>>>
>>>>>      # pres and eq indexes defined in 20-indices.update must be set
>>>>>      # for all the attributes
>>>>>
>>>>> Can you explain what is required here?  Is it just to add: I see
>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>> memberService.  Do I need to add to indices.ldif:
>>>>>
>>>>>      dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
>>>>>      changetype: add
>>>>>      cn: memberProfile
>>>>>      ObjectClass: top
>>>>>      ObjectClass: nsIndex
>>>>>      nsSystemIndex: false
>>>>>      nsIndexType: eq
>>>>>      nsIndexType: pres
>>>>>      nsIndexType: sub
>>>>>
>>>>> , and similarly for memberCa?  Sorry I do not know much about LDAP
>>>>> indexing.
>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite an expensive
>>>> index to use and I now cannot think of memberProfile search where you would
>>>> need a substring...
>>>>
>>>> Thanks,
>>>> Martin
>>> Updated patch attached, which adds the indices.  (Also rebased).
>>>
>>> There is a commit that seems to indicate that substring index is
>>> needed, so I have included substring indices in this patchset.
>>> Copied Honza in case he wants to comment.
>>>
>>>      commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>      Author: Jan Cholasta <jcholast at redhat.com>
>>>      Date:   Tue Jun 25 13:16:40 2013 +0000
>>>
>>>          Add missing substring indices for attributes managed by the referint plugin.
>>>
>>>          The referint plugin does a substring search on these attributes each time an
>>>          entry is deleted, which causes a noticable slowdown for large directories if
>>>          the attributes are not indexed.
>>>
>>>          https://fedorahosted.org/freeipa/ticket/3706
>>>
>>> Cheers,
>>> Fraser
>> ACK
>>
>> Please send the upgrade patch ASAP :)
>>
>> -- 
>> Martin Basti
>>
> Thank you for the ACK \o/
>
> Since the patches have not been pushed, here is an updated patchset
> which adds the upgrade behaviour.  There are no changes apart from
> the additions to ipaserver/install/server/upgrade.py.
>
> Cheers,
> Fraser
ACK


-- 
Martin Basti

More information about the Freeipa-devel mailing list