[Freeipa-devel] user-* commands performance issues

[Martin Basti]

Hello all,

I would like to discuss the way how we should improve the speed of 
user-find commands (and other commands too if possible):

0)
Do not do extra search for ipasshpubkey. This is clear, patch posted for 
review.
https://fedorahosted.org/freeipa/ticket/3376

commands: user, stageuser, host, idview

1)
make --no-members option visible in CLI
https://fedorahosted.org/freeipa/ticket/4995

I don't think we should implement also --no-indirect-members, I think 
that this kind of granularity is not needed.
If --no-members is used, then indirect members will be ignored too.

commands: all which use members

2)
Limit the amount of searches for memberof[indirect] (group, netgroup, 
role, hbacrule, sudorule) and search for each dn only once in find commands.

We can have configurable option in default.conf (for example 
memberof_search_limit=100 (0 unlimited)). Find commands will get members 
only for specified amount and if this limit is exceeded a warning 
message is shown.
I do not like this idea much, I think it should be all or nothing, I 
prefer to not do this.

However I like the idea of temporary caching inside find commands, where 
each memberof DN is resolved just once and results are cached in a map 
and reused in current context of command. This should be improvement 
mainly for indirect searches, but cache should be faster for direct 
members than doing internal calls of framework objects. This part is 
backward compatible, the first part is not.

https://fedorahosted.org/freeipa/ticket/5282

commands: user-find, stageuser-find, possibly all find commands

3)
Remove userPassword, krbPrincipalKey from search results
This change is not backward compatible, can we do this?

https://fedorahosted.org/freeipa/ticket/5281

commands: user-find

Martin^2