[Freeipa-devel] [PATCH] Enable filtering search results by member attributes.
Jan Zelený
jzeleny at redhat.com
Mon Dec 20 16:20:40 UTC 2010
Pavel Zuna <pzuna at redhat.com> wrote:
> On 12/08/2010 08:30 PM, Rob Crittenden wrote:
> > Pavel Zůna wrote:
> >> On 2010-11-30 04:06, Rob Crittenden wrote:
> >>> Pavel Zůna wrote:
> >>>> LDAPSearch base class has now the ability to generate additional
> >>>> options for objects with member attributes. These options are
> >>>> used to filter search results - search only for objects without
> >>>> the specified members.
> >>>>
> >>>> Any class that extends LDAPSearch can benefit from this functionality.
> >>>> This patch enables it for the following objects:
> >>>> group, netgroup, rolegroup, hostgroup, taskgroup
> >>>>
> >>>> Example:
> >>>> ipa group-find --no-users=admin
> >>>>
> >>>> Only direct members are taken into account, but if we need indirect
> >>>> members as well - it's not a problem.
> >>>>
> >>>> Ticket #288
> >>>>
> >>>> Pavel
> >>>
> >>> This works as advertised but I wonder what would happen if a huge list
> >>> of members was passed in to ignore. Is there a limit on the search
> >>> filter size (remember that the member will be translated into a full dn
> >>> so will quickly grow in size).
> >>>
> >>> Should we impose a cofigurable limit on the # of members to be
> >>> excluded?
> >>>
> >>> Is there a max search filter size and should we check that we haven't
> >>> exceeded that before doing a search?
> >>>
> >>> rob
> >>
> >> I tried it out with more than a 1000 users and was getting an unwilling
> >> to perform error (search filter nested too deep).
> >>
> >> After a little bit of investigation, I figured the filter was being
> >> generated like this:
> >>
> >> (&(&(!(a=v))(!(a2=v2))))
> >>
> >> We were going deeper with each additional DN!
> >>
> >> I updated the patch to generate the filter like this instead:
> >>
> >> (!(|(a=v)(a2=v2)))
> >>
> >> Tried it again with more than 1000 users (~55Kb) - it worked and wasn't
> >> even slow.
> >>
> >> Updated patch attached.
> >>
> >> I also had to fix a bug in ldap2 filter generator, as a result this
> >> patch depends on my patch number 43.
> >>
> >> Pavel
> >
> > You'll need to rebase this against master but otherwise ACK.
> >
> > It might be a small optimization to de-dupe the no-users list but it
> > isn't a priority.
> >
> > rob
>
> Re-based patch attached.
>
> Pavel
This hasn't been already pushed and the patch still applies against master.
Can someone push it so the ticket can be closed?
Jan
More information about the Freeipa-devel
mailing list