[Freeipa-devel] [PATCH 0286] baseldap: Handle missing parent objects properly in *-find

[thierry bordaz]

On 11/19/2014 12:24 PM, Martin Kosek wrote:
> On 11/19/2014 12:03 PM, Tomas Babej wrote:
>> Hi,
>>
>> When constructing a parent DN in LDAPSearch, we should always
>> check that the parent object exists (hence use get_dn_if_exists),
>> rather than search on unexistant containers (which can happen
>> with get_dn).
>>
>> Replaces get_dn calls with get_dn_if_exists in *-find commands
>> and makes sure proper error message is raised.
>>
>> https://fedorahosted.org/freeipa/ticket/4659
> Doesn't it produce extra LDAP search thus making all our search commands
> slower? Is that what we want? Wouldn't it be better to distinguish between LDAP
> search with no results and LDAP search with missing parent DN? The reply looks
> different, at least in CLI:
>
> # search result
> search: 4
> result: 0 Success
>
> # search result
> search: 4
> result: 32 No such object
> matchedDN: cn=accounts,dc=mkosek-f20,dc=test
>
> Also, I do not think you can just stop using get_dn(), some commands override
> this call to get more complex searches (like host-find searching for shortname).
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
Hello,

    If there is an extra search, will it be done on the same
    connection/bind ?
    Testing that an entry exists, even if no attribute are requested,
    loads the entry in the cache and evaluate the aci.
    If the entry does not exist, I do not think there is a gain between
    search(base) and search(subtree).
    If the entry exists, it will add the overhead of first search
    (connect/bind/aci) and the benefit of the first search depends if
    this entry matches the filter.

    thanks
    thierry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20141119/80c32e4d/attachment.htm>