[Freeipa-devel] [PATCHES 00012-0013 v7] Profiles and CA ACLs
Jan Cholasta
jcholast at redhat.com
Wed Jun 10 11:50:35 UTC 2015
Dne 10.6.2015 v 13:44 Martin Basti napsal(a):
> On 10/06/15 06:40, Fraser Tweedale wrote:
>> On Tue, Jun 09, 2015 at 04:37:56PM +0200, Martin Basti wrote:
>>> On 09/06/15 08:58, Fraser Tweedale wrote:
>>>> On Mon, Jun 08, 2015 at 08:49:06AM +0200, Martin Kosek wrote:
>>>>> On 06/08/2015 03:31 AM, Fraser Tweedale wrote:
>>>>>> New patches attached. Comments inline.
>>>>> Thanks Fraser!
>>>>>
>>>>> ...
>>>>>>> 5)
>>>>>>> Missing referint plugin configuration for attribute
>>>>>>> 'ipacaaclmembercertprofile'
>>>>>>> Please add it into install/updates/25-referint.update (+ other
>>>>>>> member
>>>>>>> attributes if missing)
>>>>>>>
>>>>>> Added this. There is a comment in 25-referint.update:
>>>>>>
>>>>>> # pres and eq indexes defined in 20-indices.update must be set
>>>>>> # for all the attributes
>>>>>>
>>>>>> Can you explain what is required here? Is it just to add: I see
>>>>>> things for memberUser and memberHost in indices.ldif but nothing for
>>>>>> memberService. Do I need to add to indices.ldif:
>>>>>>
>>>>>> dn: cn=memberProfile,cn=index,cn=userRoot,cn=ldbm
>>>>>> database,cn=plugins,cn=config
>>>>>> changetype: add
>>>>>> cn: memberProfile
>>>>>> ObjectClass: top
>>>>>> ObjectClass: nsIndex
>>>>>> nsSystemIndex: false
>>>>>> nsIndexType: eq
>>>>>> nsIndexType: pres
>>>>>> nsIndexType: sub
>>>>>>
>>>>>> , and similarly for memberCa? Sorry I do not know much about LDAP
>>>>>> indexing.
>>>>> AFAIR, yes. BTW, where does the "sub" index come from? It is quite
>>>>> an expensive
>>>>> index to use and I now cannot think of memberProfile search where
>>>>> you would
>>>>> need a substring...
>>>>>
>>>>> Thanks,
>>>>> Martin
>>>> Updated patch attached, which adds the indices. (Also rebased).
>>>>
>>>> There is a commit that seems to indicate that substring index is
>>>> needed, so I have included substring indices in this patchset.
>>>> Copied Honza in case he wants to comment.
>>>>
>>>> commit a10521a1dcf69960d6ce0bf5657180b709c297c0
>>>> Author: Jan Cholasta <jcholast at redhat.com>
>>>> Date: Tue Jun 25 13:16:40 2013 +0000
>>>>
>>>> Add missing substring indices for attributes managed by the
>>>> referint plugin.
>>>>
>>>> The referint plugin does a substring search on these
>>>> attributes each time an
>>>> entry is deleted, which causes a noticable slowdown for
>>>> large directories if
>>>> the attributes are not indexed.
>>>>
>>>> https://fedorahosted.org/freeipa/ticket/3706
>>>>
>>>> Cheers,
>>>> Fraser
>>> ACK
>>>
>>> Please send the upgrade patch ASAP :)
>>>
>>> --
>>> Martin Basti
>>>
>> Thank you for the ACK \o/
>>
>> Since the patches have not been pushed, here is an updated patchset
>> which adds the upgrade behaviour. There are no changes apart from
>> the additions to ipaserver/install/server/upgrade.py.
>>
>> Cheers,
>> Fraser
> ACK
NACK, the new OIDs are not registered.
BTW all new attribute names should have the "ipa" prefix. Also I would
prefer "CertProfile" instead of just "Profile" in certificate profile
related names. Please rename the attributes as follows:
memberCa -> ipaMemberCa
memberProfile -> ipaMemberCertProfile
caCategory -> ipaCaCategory
profileCategory -> ipaCertProfileCategory
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list